mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Add BiF for looking up a connection's numeric protocol analyzer IDs
This adds a new lookup_connection_analyzer_id() BiF to find a given connection's numeric identifier for a given protocol analyzer (as defined by the underlying Analyzer::id_counter). This enables users to call disable_analyzer(), which requires a numeric analyzer ID, outside of analyzer_confirmation_info and analyzer_violation_info events handlers.
This commit is contained in:
Christian Kreibich
parent
c04e503c92
commit
3e97ec39b8
2 changed files with 48 additions and 0 deletions
20
NEWS
20
NEWS
|
|
@ -39,6 +39,26 @@ New Functionality
|
|||
- SMB2 packets containing multiple PDUs now correctly parse all of the headers,
|
||||
instead of just the first one and ignoring the rest.
|
||||
|
||||
- The new built-in function ``lookup_connection_analyzer_id()`` retrieves the
|
||||
numeric identifier of an analyzer associated with a connection. This enables
|
||||
the use of the ``disable_analyzer()`` BiF outside of the analyzer
|
||||
confirmation/violation events that have so far been the only providers of
|
||||
those identifiers. For example, this allows the suppression of an analyzer
|
||||
from the outset for specific connections:
|
||||
|
||||
event connection_established(c: connection):
|
||||
{
|
||||
if ( no_http_for_this_conn_wanted(c) )
|
||||
{
|
||||
local aid = lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP);
|
||||
if ( aid > 0 )
|
||||
disable_analyzer(c$id, aid, T, T);
|
||||
}
|
||||
}
|
||||
|
||||
Use ``Analyzer::get_tag()`` if you need to obtain an analyzer's tag from its
|
||||
name (such as "HTTP").
|
||||
|
||||
Changed Functionality
|
||||
---------------------
|
||||
|
||||
|
|
|
|||
28
src/zeek.bif
28
src/zeek.bif
|
|
@ -4121,6 +4121,34 @@ function file_mode%(mode: count%): string
|
|||
#include "zeek/analyzer/Manager.h"
|
||||
%%}
|
||||
|
||||
## Returns the numeric ID of the requested protocol analyzer for the given
|
||||
## connection.
|
||||
##
|
||||
## cid: The connection identifier.
|
||||
##
|
||||
## atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
|
||||
##
|
||||
## Returns: a numeric identifier for the analyzer, valid for the given
|
||||
## connection. When no such analyzer exists the function returns
|
||||
## 0, which is never a valid analyzer ID value.
|
||||
##
|
||||
## .. zeek:see:: disable_analyzer Analyzer::disabling_analyzer
|
||||
function lookup_connection_analyzer_id%(cid: conn_id, atype: AllAnalyzers::Tag%): count
|
||||
%{
|
||||
Connection* c = session_mgr->FindConnection(cid);
|
||||
if ( ! c )
|
||||
{
|
||||
zeek::emit_builtin_error("connection ID not a known connection", cid);
|
||||
return zeek::val_mgr->Count(0);
|
||||
}
|
||||
|
||||
analyzer::Analyzer* a = c->FindAnalyzer(analyzer_mgr->GetComponentTag(atype));
|
||||
if ( ! a )
|
||||
return zeek::val_mgr->Count(0);
|
||||
|
||||
return zeek::val_mgr->Count(a->GetID());
|
||||
%}
|
||||
|
||||
## Disables the analyzer which raised the current event (if the analyzer
|
||||
## belongs to the given connection).
|
||||
##
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue