Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add conn_generic_packet_threshold_crossed event

Browse source
This commit is contained in:
Jan Grashoefer 2025-06-30 14:55:36 +02:00
parent e79ae5a1d9
commit 4831bf80d1
4 changed files with 28 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
scripts/base/init-bare.zeek
View file

@ -6369,6 +6369,18 @@ export {
}; };
} }
module ConnThreshold;
export {
## Number of packets required to be observed on any IP-based session to
## trigger :zeek:id:`conn_generic_packet_threshold_crossed`. Note that the
## threshold refers to the total number of packets transferred in both
## directions.
##
## .. zeek:see:: conn_generic_packet_threshold_crossed
const generic_packet_threshold = 5 &redef;
}
module GLOBAL; module GLOBAL;
@load base/bif/event.bif @load base/bif/event.bif

7
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -37,6 +37,13 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
} }
void ConnSize_Analyzer::CheckThresholds(bool is_orig) { void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
static const auto generic_packet_threshold = id::find_const("ConnThreshold::generic_packet_threshold")->AsCount();
if ( conn_generic_packet_threshold_crossed && generic_packet_threshold &&
(orig_pkts + resp_pkts) == generic_packet_threshold ) {
EnqueueConnEvent(conn_generic_packet_threshold_crossed, ConnVal());
}
if ( is_orig ) { if ( is_orig ) {
if ( orig_bytes_thresh && orig_bytes >= orig_bytes_thresh ) { if ( orig_bytes_thresh && orig_bytes >= orig_bytes_thresh ) {
ThresholdEvent(conn_bytes_threshold_crossed, orig_bytes_thresh, is_orig); ThresholdEvent(conn_bytes_threshold_crossed, orig_bytes_thresh, is_orig);

7
src/analyzer/protocol/conn-size/events.bif
View file

@ -46,3 +46,10 @@ event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig:
## get_current_conn_bytes_threshold get_current_conn_packets_threshold ## get_current_conn_bytes_threshold get_current_conn_packets_threshold
## set_current_conn_duration_threshold get_current_conn_duration_threshold ## set_current_conn_duration_threshold get_current_conn_duration_threshold
event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%); event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%);
## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_threshold` packets have been
## observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
## connections, while short interactions, like scans consisting of only a few packets, are ignored.
##
## c: The connection.
event conn_generic_packet_threshold_crossed%(c: connection%);

3
src/event.bif
View file

@ -106,7 +106,8 @@ event network_time_init%(%);
## ##
## Handling this event is potentially expensive. For example, during a SYN ## Handling this event is potentially expensive. For example, during a SYN
## flooding attack, every spoofed SYN packet will lead to a new ## flooding attack, every spoofed SYN packet will lead to a new
## event. ## event. Consider to use events like :zeek:id:`connection_established` or
## :zeek:id:`ConnThreshold::conn_generic_packet_threshold_crossed` instead.
event new_connection%(c: connection%); event new_connection%(c: connection%);
## Generated for a connection whose tunneling has changed. This could ## Generated for a connection whose tunneling has changed. This could