diff --git a/NEWS b/NEWS index 286f5f8cbd..4b18b4be38 100644 --- a/NEWS +++ b/NEWS @@ -150,6 +150,11 @@ New Functionality ``ssh2_gh_gex_init``, ``ssh2_gss_init``, ssh2_rsa_secret``) to detect when SSH client and server roles are reversed. +- Analyzers found in the new ``Analyzer::requested_analyzers`` set will be + enabled at ``zeek_init()`` time. The set can be populated via :zeek:see:`redef`. + This change only has an effect in settings where ``Analyzer::disable_all`` + is changed to ``T``. By default, all analyzers continue to be enabled. + Changed Functionality --------------------- diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 39932a56ad..420d124bd8 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -149,6 +149,16 @@ export { ## Analyzer::register_for_port(s) and packet analyzers can add to this ## using PacketAnalyzer::register_for_port(s). global ports: table[AllAnalyzers::Tag] of set[port]; + + ## A set of protocol, packet or file analyzer tags requested to + ## be enabled during startup. + ## + ## By default, all analyzers in Zeek are enabled. When all analyzers + ## are disabled through :zeek:see:`Analyzer::disable_all`, this set + ## set allows to record analyzers to be enabled during Zeek startup. + ## + ## This set can be added to via :zeek:see:`redef`. + global requested_analyzers: set[AllAnalyzers::Tag] = {} &redef; } @load base/bif/analyzer.bif @@ -164,6 +174,12 @@ event zeek_init() &priority=5 disable_analyzer(a); } +event zeek_init() &priority=-5 + { + for ( a in requested_analyzers ) + Analyzer::enable_analyzer(a); + } + function enable_analyzer(tag: AllAnalyzers::Tag) : bool { if ( is_packet_analyzer(tag) ) diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log new file mode 100644 index 0000000000..6c830bb082 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log @@ -0,0 +1,34 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA - - - - - +XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - - 0 ShADad - - - - - +XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - - 0 ^h - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/http.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/http.log new file mode 100644 index 0000000000..92e3d6432d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/http.log @@ -0,0 +1,24 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/frameworks/analyzer/request-analyzer.zeek b/testing/btest/scripts/base/frameworks/analyzer/request-analyzer.zeek new file mode 100644 index 0000000000..14ed995e56 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/analyzer/request-analyzer.zeek @@ -0,0 +1,16 @@ +# @TEST-DOC: Ensure only the HTTP analyzer is enabled (filter out some noise from the trace) +# @TEST-EXEC: zeek -b -f 'port 53 or port 80' -r ${TRACES}/wikipedia.trace %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: test ! -f dns.log + +@load base/protocols/conn +@load base/protocols/dns +@load base/protocols/http + +# Turn all analyzers off. +redef Analyzer::disable_all = T; + +redef Analyzer::requested_analyzers += { + Analyzer::ANALYZER_HTTP, +};