mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/gregor/script-polishing'
* origin/topic/gregor/script-polishing: Tune when c$conn is set. Set c$conn (for logging) in new_connection() event. (Semiautomatically) convert the comments in bare-init.bro into autodoc ones. Add ConnSize_Analyzer's fields to conn.log SSH base scripts: make sure ConnSizeAnalyzer variables are available before using them. Make reference to the other script a link
This commit is contained in:
Seth Hall
commit
562abfb0d1
6 changed files with 462 additions and 405 deletions
|
|
@ -12,7 +12,11 @@ export {
|
|||
proto: transport_proto &log;
|
||||
service: string &log &optional;
|
||||
duration: interval &log &optional;
|
||||
## The number of payload bytes the originator sent. For TCP
|
||||
## this is taken from sequence numbers and might be inaccurate
|
||||
## (e.g., due to large connections)
|
||||
orig_bytes: count &log &optional;
|
||||
## The number of payload bytes the responder sent. See ``orig_bytes``.
|
||||
resp_bytes: count &log &optional;
|
||||
|
||||
## ========== ===============================================
|
||||
|
|
@ -68,6 +72,17 @@ export {
|
|||
## for instance. I.e., we just record that data went in that direction.
|
||||
## This history is not meant to encode how much data that happened to be.
|
||||
history: string &log &optional;
|
||||
## Number of packets the originator sent.
|
||||
## Only set if :bro:id:`use_conn_size_analyzer`=T
|
||||
orig_pkts: count &log &optional;
|
||||
## Number IP level bytes the originator sent (as seen on the wire,
|
||||
## taken from IP total_length header field).
|
||||
## Only set if :bro:id:`use_conn_size_analyzer`=T
|
||||
orig_ip_bytes: count &log &optional;
|
||||
## Number of packets the responder sent. See ``orig_pkts``.
|
||||
resp_pkts: count &log &optional;
|
||||
## Number IP level bytes the responder sent. See ``orig_pkts``.
|
||||
resp_ip_bytes: count &log &optional;
|
||||
};
|
||||
|
||||
global log_conn: event(rec: Info);
|
||||
|
|
@ -143,31 +158,39 @@ function determine_service(c: connection): string
|
|||
return to_lower(service);
|
||||
}
|
||||
|
||||
## Fill out the c$conn record for logging
|
||||
function set_conn(c: connection, eoc: bool)
|
||||
{
|
||||
if ( ! c?$conn )
|
||||
{
|
||||
local id = c$id;
|
||||
local tmp: Info;
|
||||
tmp$ts=c$start_time;
|
||||
tmp$uid=c$uid;
|
||||
tmp$id=id;
|
||||
tmp$proto=get_port_transport_proto(id$resp_p);
|
||||
if( |Site::local_nets| > 0 )
|
||||
tmp$local_orig=Site::is_local_addr(id$orig_h);
|
||||
c$conn = tmp;
|
||||
}
|
||||
|
||||
c$conn$ts=c$start_time;
|
||||
c$conn$uid=c$uid;
|
||||
c$conn$id=c$id;
|
||||
c$conn$proto=get_port_transport_proto(c$id$resp_p);
|
||||
if( |Site::local_nets| > 0 )
|
||||
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
|
||||
|
||||
if ( eoc )
|
||||
{
|
||||
if ( c$duration > 0secs )
|
||||
{
|
||||
c$conn$duration=c$duration;
|
||||
# TODO: these should optionally use Gregor's new
|
||||
# actual byte counting code if it's enabled.
|
||||
c$conn$orig_bytes=c$orig$size;
|
||||
c$conn$resp_bytes=c$resp$size;
|
||||
}
|
||||
if ( c$orig?$num_pkts )
|
||||
{
|
||||
# these are set if use_conn_size_analyzer=T
|
||||
# we can have counts in here even without duration>0
|
||||
c$conn$orig_pkts = c$orig$num_pkts;
|
||||
c$conn$orig_ip_bytes = c$orig$num_bytes_ip;
|
||||
c$conn$resp_pkts = c$resp$num_pkts;
|
||||
c$conn$resp_ip_bytes = c$resp$num_bytes_ip;
|
||||
}
|
||||
local service = determine_service(c);
|
||||
if ( service != "" )
|
||||
c$conn$service=service;
|
||||
|
|
@ -178,11 +201,6 @@ function set_conn(c: connection, eoc: bool)
|
|||
}
|
||||
}
|
||||
|
||||
event connection_established(c: connection) &priority=5
|
||||
{
|
||||
set_conn(c, F);
|
||||
}
|
||||
|
||||
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
|
||||
{
|
||||
set_conn(c, F);
|
||||
|
|
@ -190,9 +208,13 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio
|
|||
c$conn$missed_bytes = c$conn$missed_bytes + length;
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=-5
|
||||
event connection_state_remove(c: connection) &priority=5
|
||||
{
|
||||
set_conn(c, T);
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=-5
|
||||
{
|
||||
Log::write(CONN, c$conn);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -94,6 +94,11 @@ function check_ssh_connection(c: connection, done: bool)
|
|||
if ( c$ssh$done )
|
||||
return;
|
||||
|
||||
# Make sure conn_size_analyzer is active by checking
|
||||
# resp$num_bytes_ip
|
||||
if ( !c$resp?$num_bytes_ip )
|
||||
return;
|
||||
|
||||
# If this is still a live connection and the byte count has not
|
||||
# crossed the threshold, just return and let the resheduled check happen later.
|
||||
if ( !done && c$resp$num_bytes_ip < authentication_data_size )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue