mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Add BiF for looking up a connection's numeric protocol analyzer IDs
This adds a new lookup_connection_analyzer_id() BiF to find a given connection's numeric identifier for a given protocol analyzer (as defined by the underlying Analyzer::id_counter). This enables users to call disable_analyzer(), which requires a numeric analyzer ID, outside of analyzer_confirmation_info and analyzer_violation_info events handlers.
This commit is contained in:
Christian Kreibich
parent
c04e503c92
commit
3e97ec39b8
2 changed files with 48 additions and 0 deletions
20
NEWS
20
NEWS
|
|
@ -39,6 +39,26 @@ New Functionality
|
||||||
- SMB2 packets containing multiple PDUs now correctly parse all of the headers,
|
- SMB2 packets containing multiple PDUs now correctly parse all of the headers,
|
||||||
instead of just the first one and ignoring the rest.
|
instead of just the first one and ignoring the rest.
|
||||||
|
|
||||||
|
- The new built-in function ``lookup_connection_analyzer_id()`` retrieves the
|
||||||
|
numeric identifier of an analyzer associated with a connection. This enables
|
||||||
|
the use of the ``disable_analyzer()`` BiF outside of the analyzer
|
||||||
|
confirmation/violation events that have so far been the only providers of
|
||||||
|
those identifiers. For example, this allows the suppression of an analyzer
|
||||||
|
from the outset for specific connections:
|
||||||
|
|
||||||
|
event connection_established(c: connection):
|
||||||
|
{
|
||||||
|
if ( no_http_for_this_conn_wanted(c) )
|
||||||
|
{
|
||||||
|
local aid = lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP);
|
||||||
|
if ( aid > 0 )
|
||||||
|
disable_analyzer(c$id, aid, T, T);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Use ``Analyzer::get_tag()`` if you need to obtain an analyzer's tag from its
|
||||||
|
name (such as "HTTP").
|
||||||
|
|
||||||
Changed Functionality
|
Changed Functionality
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
|
||||||
28
src/zeek.bif
28
src/zeek.bif
|
|
@ -4121,6 +4121,34 @@ function file_mode%(mode: count%): string
|
||||||
#include "zeek/analyzer/Manager.h"
|
#include "zeek/analyzer/Manager.h"
|
||||||
%%}
|
%%}
|
||||||
|
|
||||||
|
## Returns the numeric ID of the requested protocol analyzer for the given
|
||||||
|
## connection.
|
||||||
|
##
|
||||||
|
## cid: The connection identifier.
|
||||||
|
##
|
||||||
|
## atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
|
||||||
|
##
|
||||||
|
## Returns: a numeric identifier for the analyzer, valid for the given
|
||||||
|
## connection. When no such analyzer exists the function returns
|
||||||
|
## 0, which is never a valid analyzer ID value.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: disable_analyzer Analyzer::disabling_analyzer
|
||||||
|
function lookup_connection_analyzer_id%(cid: conn_id, atype: AllAnalyzers::Tag%): count
|
||||||
|
%{
|
||||||
|
Connection* c = session_mgr->FindConnection(cid);
|
||||||
|
if ( ! c )
|
||||||
|
{
|
||||||
|
zeek::emit_builtin_error("connection ID not a known connection", cid);
|
||||||
|
return zeek::val_mgr->Count(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
analyzer::Analyzer* a = c->FindAnalyzer(analyzer_mgr->GetComponentTag(atype));
|
||||||
|
if ( ! a )
|
||||||
|
return zeek::val_mgr->Count(0);
|
||||||
|
|
||||||
|
return zeek::val_mgr->Count(a->GetID());
|
||||||
|
%}
|
||||||
|
|
||||||
## Disables the analyzer which raised the current event (if the analyzer
|
## Disables the analyzer which raised the current event (if the analyzer
|
||||||
## belongs to the given connection).
|
## belongs to the given connection).
|
||||||
##
|
##
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue