GH-998: Fix Reporter::conn_weird() to handle expired connections

This introduces a new sampling state-map for expired connections to fix segfaults that previously occured when passing in a `connection` record to `Reporter::conn_weird()` for which the internal `Connection` object had already been expired and deleted. This also introduces a new event called `expired_conn_weird`, which is similar to `conn_weird`, except the full `connection` record is no longer available, just the `conn_id` and UID string.
2025-10-02 06:38:20 +00:00 · 2020-06-15 12:53:46 -07:00 · 2020-06-15 12:53:46 -07:00 · 51e738a1c0
commit 51e738a1c0
parent 8d9e85b842
9 changed files with 163 additions and 5 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -406,6 +406,17 @@ event conn_weird(name: string, c: connection, addl: string)
 	weird(i);
 	}

+event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string)
+	{
+	local i = Info($ts=network_time(), $name=name, $uid=uid, $id=id,
+	               $identifier=id_string(id));
+
+	if ( addl != "" )
+		i$addl = addl;
+
+	weird(i);
+	}
+
 event flow_weird(name: string, src: addr, dst: addr, addl: string)
 	{
 	# We add the source and destination as port 0/unknown because that is