mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 19:18:19 +00:00
Add PacketAnalyzer::register_for_port(s) functions
These allow packet analyzers to register ports as identifiers to forward from parent analyzers, while also adding those ports to the now-global Analyzer::ports table at the same time.
This commit is contained in:
Tim Wojtulewicz
parent
612212568a
commit
44e0760e96
6 changed files with 85 additions and 10 deletions
|
|
@ -133,12 +133,16 @@ export {
|
||||||
global disabled_analyzers: set[Analyzer::Tag] = {
|
global disabled_analyzers: set[Analyzer::Tag] = {
|
||||||
ANALYZER_TCPSTATS,
|
ANALYZER_TCPSTATS,
|
||||||
} &redef;
|
} &redef;
|
||||||
|
|
||||||
|
## A table of ports mapped to analyzers that handle those ports. This is
|
||||||
|
## used by BPF filtering and DPD. Session analyzers can add to this using
|
||||||
|
## Analyzer::register_for_port(s) and packet analyzers can add to this
|
||||||
|
## using PacketAnalyzer::register_for_port(s).
|
||||||
|
global ports: table[AllAnalyzers::Tag] of set[port];
|
||||||
}
|
}
|
||||||
|
|
||||||
@load base/bif/analyzer.bif
|
@load base/bif/analyzer.bif
|
||||||
|
|
||||||
global ports: table[AllAnalyzers::Tag] of set[port];
|
|
||||||
|
|
||||||
event zeek_init() &priority=5
|
event zeek_init() &priority=5
|
||||||
{
|
{
|
||||||
if ( disable_all )
|
if ( disable_all )
|
||||||
|
|
@ -158,7 +162,7 @@ function disable_analyzer(tag: Analyzer::Tag) : bool
|
||||||
return __disable_analyzer(tag);
|
return __disable_analyzer(tag);
|
||||||
}
|
}
|
||||||
|
|
||||||
function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
|
function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
|
||||||
{
|
{
|
||||||
local rc = T;
|
local rc = T;
|
||||||
|
|
||||||
|
|
@ -171,7 +175,7 @@ function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
function register_for_port(tag: AllAnalyzers::Tag, p: port) : bool
|
function register_for_port(tag: Analyzer::Tag, p: port) : bool
|
||||||
{
|
{
|
||||||
if ( ! __register_for_port(tag, p) )
|
if ( ! __register_for_port(tag, p) )
|
||||||
return F;
|
return F;
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
|
@load ./main.zeek
|
||||||
|
|
||||||
@load base/packet-protocols/root
|
@load base/packet-protocols/root
|
||||||
@load base/packet-protocols/ip
|
@load base/packet-protocols/ip
|
||||||
@load base/packet-protocols/skip
|
@load base/packet-protocols/skip
|
||||||
|
|
|
||||||
61
scripts/base/packet-protocols/main.zeek
Normal file
61
scripts/base/packet-protocols/main.zeek
Normal file
|
|
@ -0,0 +1,61 @@
|
||||||
|
module PacketAnalyzer;
|
||||||
|
|
||||||
|
@load base/frameworks/analyzer/main.zeek
|
||||||
|
|
||||||
|
export {
|
||||||
|
## Registers a set of well-known ports for an analyzer. If a future
|
||||||
|
## connection on one of these ports is seen, the analyzer will be
|
||||||
|
## automatically assigned to parsing it. The function *adds* to all ports
|
||||||
|
## already registered, it doesn't replace them.
|
||||||
|
##
|
||||||
|
## tag: The tag of the analyzer.
|
||||||
|
##
|
||||||
|
## ports: The set of well-known ports to associate with the analyzer.
|
||||||
|
##
|
||||||
|
## Returns: True if the ports were successfully registered.
|
||||||
|
global register_for_ports: function(parent: PacketAnalyzer::Tag,
|
||||||
|
child: PacketAnalyzer::Tag,
|
||||||
|
ports: set[port]) : bool;
|
||||||
|
|
||||||
|
## Registers an individual well-known port for an analyzer. If a future
|
||||||
|
## connection on this port is seen, the analyzer will be automatically
|
||||||
|
## assigned to parsing it. The function *adds* to all ports already
|
||||||
|
## registered, it doesn't replace them.
|
||||||
|
##
|
||||||
|
## tag: The tag of the analyzer.
|
||||||
|
##
|
||||||
|
## p: The well-known port to associate with the analyzer.
|
||||||
|
##
|
||||||
|
## Returns: True if the port was successfully registered.
|
||||||
|
global register_for_port: function(parent: PacketAnalyzer::Tag,
|
||||||
|
child: PacketAnalyzer::Tag,
|
||||||
|
p: port) : bool;
|
||||||
|
}
|
||||||
|
|
||||||
|
function register_for_ports(parent: PacketAnalyzer::Tag,
|
||||||
|
child: PacketAnalyzer::Tag,
|
||||||
|
ports: set[port]) : bool
|
||||||
|
{
|
||||||
|
local rc = T;
|
||||||
|
|
||||||
|
for ( p in ports )
|
||||||
|
{
|
||||||
|
if ( ! register_for_port(parent, child, p) )
|
||||||
|
rc = F;
|
||||||
|
}
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
function register_for_port(parent: PacketAnalyzer::Tag,
|
||||||
|
child: PacketAnalyzer::Tag,
|
||||||
|
p: port) : bool
|
||||||
|
{
|
||||||
|
register_packet_analyzer(parent, port_to_count(p), child);
|
||||||
|
|
||||||
|
if ( child !in Analyzer::ports )
|
||||||
|
Analyzer::ports[child] = set();
|
||||||
|
|
||||||
|
add Analyzer::ports[child][p];
|
||||||
|
return T;
|
||||||
|
}
|
||||||
|
|
@ -23,6 +23,10 @@ scripts/base/init-bare.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
|
||||||
build/scripts/base/bif/event.bif.zeek
|
build/scripts/base/bif/event.bif.zeek
|
||||||
scripts/base/packet-protocols/__load__.zeek
|
scripts/base/packet-protocols/__load__.zeek
|
||||||
|
scripts/base/packet-protocols/main.zeek
|
||||||
|
scripts/base/frameworks/analyzer/main.zeek
|
||||||
|
scripts/base/frameworks/packet-filter/utils.zeek
|
||||||
|
build/scripts/base/bif/analyzer.bif.zeek
|
||||||
scripts/base/packet-protocols/root/__load__.zeek
|
scripts/base/packet-protocols/root/__load__.zeek
|
||||||
scripts/base/packet-protocols/root/main.zeek
|
scripts/base/packet-protocols/root/main.zeek
|
||||||
scripts/base/packet-protocols/ip/__load__.zeek
|
scripts/base/packet-protocols/ip/__load__.zeek
|
||||||
|
|
@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek
|
||||||
scripts/base/frameworks/input/readers/config.zeek
|
scripts/base/frameworks/input/readers/config.zeek
|
||||||
scripts/base/frameworks/input/readers/sqlite.zeek
|
scripts/base/frameworks/input/readers/sqlite.zeek
|
||||||
scripts/base/frameworks/analyzer/__load__.zeek
|
scripts/base/frameworks/analyzer/__load__.zeek
|
||||||
scripts/base/frameworks/analyzer/main.zeek
|
|
||||||
scripts/base/frameworks/packet-filter/utils.zeek
|
|
||||||
build/scripts/base/bif/analyzer.bif.zeek
|
|
||||||
scripts/base/frameworks/files/__load__.zeek
|
scripts/base/frameworks/files/__load__.zeek
|
||||||
scripts/base/frameworks/files/main.zeek
|
scripts/base/frameworks/files/main.zeek
|
||||||
build/scripts/base/bif/file_analysis.bif.zeek
|
build/scripts/base/bif/file_analysis.bif.zeek
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,10 @@ scripts/base/init-bare.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
|
||||||
build/scripts/base/bif/event.bif.zeek
|
build/scripts/base/bif/event.bif.zeek
|
||||||
scripts/base/packet-protocols/__load__.zeek
|
scripts/base/packet-protocols/__load__.zeek
|
||||||
|
scripts/base/packet-protocols/main.zeek
|
||||||
|
scripts/base/frameworks/analyzer/main.zeek
|
||||||
|
scripts/base/frameworks/packet-filter/utils.zeek
|
||||||
|
build/scripts/base/bif/analyzer.bif.zeek
|
||||||
scripts/base/packet-protocols/root/__load__.zeek
|
scripts/base/packet-protocols/root/__load__.zeek
|
||||||
scripts/base/packet-protocols/root/main.zeek
|
scripts/base/packet-protocols/root/main.zeek
|
||||||
scripts/base/packet-protocols/ip/__load__.zeek
|
scripts/base/packet-protocols/ip/__load__.zeek
|
||||||
|
|
@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek
|
||||||
scripts/base/frameworks/input/readers/config.zeek
|
scripts/base/frameworks/input/readers/config.zeek
|
||||||
scripts/base/frameworks/input/readers/sqlite.zeek
|
scripts/base/frameworks/input/readers/sqlite.zeek
|
||||||
scripts/base/frameworks/analyzer/__load__.zeek
|
scripts/base/frameworks/analyzer/__load__.zeek
|
||||||
scripts/base/frameworks/analyzer/main.zeek
|
|
||||||
scripts/base/frameworks/packet-filter/utils.zeek
|
|
||||||
build/scripts/base/bif/analyzer.bif.zeek
|
|
||||||
scripts/base/frameworks/files/__load__.zeek
|
scripts/base/frameworks/files/__load__.zeek
|
||||||
scripts/base/frameworks/files/main.zeek
|
scripts/base/frameworks/files/main.zeek
|
||||||
build/scripts/base/bif/file_analysis.bif.zeek
|
build/scripts/base/bif/file_analysis.bif.zeek
|
||||||
|
|
|
||||||
|
|
@ -845,6 +845,7 @@
|
||||||
0.000000 MetaHookPost LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./magic, <...>/magic) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./magic, <...>/magic) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./main, <...>/main.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./main, <...>/main.zeek) -> -1
|
||||||
|
0.000000 MetaHookPost LoadFile(0, ./main.zeek, <...>/main.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./max, <...>/max.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./max, <...>/max.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./min, <...>/min.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./min, <...>/min.zeek) -> -1
|
||||||
|
|
@ -967,6 +968,7 @@
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/logging, <...>/logging) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/logging, <...>/logging) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
|
||||||
|
0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek, <...>/main.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/modbus, <...>/modbus) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/modbus, <...>/modbus) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, base<...>/mpls, <...>/mpls) -> -1
|
0.000000 MetaHookPost LoadFile(0, base<...>/mpls, <...>/mpls) -> -1
|
||||||
|
|
@ -2265,6 +2267,7 @@
|
||||||
0.000000 MetaHookPre LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./magic, <...>/magic)
|
0.000000 MetaHookPre LoadFile(0, ./magic, <...>/magic)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./main, <...>/main.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./main, <...>/main.zeek)
|
||||||
|
0.000000 MetaHookPre LoadFile(0, ./main.zeek, <...>/main.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./max, <...>/max.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./max, <...>/max.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./min, <...>/min.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./min, <...>/min.zeek)
|
||||||
|
|
@ -2387,6 +2390,7 @@
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/logging, <...>/logging)
|
0.000000 MetaHookPre LoadFile(0, base<...>/logging, <...>/logging)
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/main, <...>/main.zeek)
|
0.000000 MetaHookPre LoadFile(0, base<...>/main, <...>/main.zeek)
|
||||||
|
0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek, <...>/main.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/modbus, <...>/modbus)
|
0.000000 MetaHookPre LoadFile(0, base<...>/modbus, <...>/modbus)
|
||||||
0.000000 MetaHookPre LoadFile(0, base<...>/mpls, <...>/mpls)
|
0.000000 MetaHookPre LoadFile(0, base<...>/mpls, <...>/mpls)
|
||||||
|
|
@ -3693,6 +3697,7 @@
|
||||||
0.000000 | HookLoadFile ./logging.bif.zeek <...>/logging.bif.zeek
|
0.000000 | HookLoadFile ./logging.bif.zeek <...>/logging.bif.zeek
|
||||||
0.000000 | HookLoadFile ./magic <...>/magic
|
0.000000 | HookLoadFile ./magic <...>/magic
|
||||||
0.000000 | HookLoadFile ./main <...>/main.zeek
|
0.000000 | HookLoadFile ./main <...>/main.zeek
|
||||||
|
0.000000 | HookLoadFile ./main.zeek <...>/main.zeek
|
||||||
0.000000 | HookLoadFile ./max <...>/max.zeek
|
0.000000 | HookLoadFile ./max <...>/max.zeek
|
||||||
0.000000 | HookLoadFile ./messaging.bif.zeek <...>/messaging.bif.zeek
|
0.000000 | HookLoadFile ./messaging.bif.zeek <...>/messaging.bif.zeek
|
||||||
0.000000 | HookLoadFile ./min <...>/min.zeek
|
0.000000 | HookLoadFile ./min <...>/min.zeek
|
||||||
|
|
@ -3818,6 +3823,7 @@
|
||||||
0.000000 | HookLoadFile base<...>/logging <...>/logging
|
0.000000 | HookLoadFile base<...>/logging <...>/logging
|
||||||
0.000000 | HookLoadFile base<...>/logging.bif <...>/logging.bif.zeek
|
0.000000 | HookLoadFile base<...>/logging.bif <...>/logging.bif.zeek
|
||||||
0.000000 | HookLoadFile base<...>/main <...>/main.zeek
|
0.000000 | HookLoadFile base<...>/main <...>/main.zeek
|
||||||
|
0.000000 | HookLoadFile base<...>/main.zeek <...>/main.zeek
|
||||||
0.000000 | HookLoadFile base<...>/messaging.bif <...>/messaging.bif.zeek
|
0.000000 | HookLoadFile base<...>/messaging.bif <...>/messaging.bif.zeek
|
||||||
0.000000 | HookLoadFile base<...>/modbus <...>/modbus
|
0.000000 | HookLoadFile base<...>/modbus <...>/modbus
|
||||||
0.000000 | HookLoadFile base<...>/mpls <...>/mpls
|
0.000000 | HookLoadFile base<...>/mpls <...>/mpls
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue