mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Allow to handle late DPD matches.
If dpd_match_only_beginning is disabled, matches of protocol signatures can be handeld using protocol_late_match. To prevent further matching in this case, dpd_late_match_stop may be activated.
This commit is contained in:
Jan Grashoefer
parent
8ab0650c1e
commit
5901b6d33c
5 changed files with 58 additions and 0 deletions
|
|
@ -4684,6 +4684,18 @@ const dpd_buffer_size = 1024 &redef;
|
||||||
## only signatures used for dynamic protocol detection.
|
## only signatures used for dynamic protocol detection.
|
||||||
const dpd_match_only_beginning = T &redef;
|
const dpd_match_only_beginning = T &redef;
|
||||||
|
|
||||||
|
## If true, stops signature matching after a late match. A late match may occur
|
||||||
|
## in case the DPD buffer is exhausted but a protocol signature matched. To
|
||||||
|
## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
|
||||||
|
## dpd_match_only_beginning
|
||||||
|
##
|
||||||
|
## .. note:: Despite the name, this option stops *all* signature matching, not
|
||||||
|
## only signatures used for dynamic protocol detection but is triggered by
|
||||||
|
## DPD signatures only.
|
||||||
|
const dpd_late_match_stop = F &redef;
|
||||||
|
|
||||||
## If true, don't consider any ports for deciding which protocol analyzer to
|
## If true, don't consider any ports for deciding which protocol analyzer to
|
||||||
## use.
|
## use.
|
||||||
##
|
##
|
||||||
|
|
|
||||||
|
|
@ -164,6 +164,7 @@ RecordType* irc_join_info;
|
||||||
int dpd_reassemble_first_packets;
|
int dpd_reassemble_first_packets;
|
||||||
int dpd_buffer_size;
|
int dpd_buffer_size;
|
||||||
int dpd_match_only_beginning;
|
int dpd_match_only_beginning;
|
||||||
|
int dpd_late_match_stop;
|
||||||
int dpd_ignore_ports;
|
int dpd_ignore_ports;
|
||||||
|
|
||||||
TableVal* likely_server_ports;
|
TableVal* likely_server_ports;
|
||||||
|
|
@ -406,6 +407,7 @@ void init_net_var()
|
||||||
opt_internal_int("dpd_reassemble_first_packets");
|
opt_internal_int("dpd_reassemble_first_packets");
|
||||||
dpd_buffer_size = opt_internal_int("dpd_buffer_size");
|
dpd_buffer_size = opt_internal_int("dpd_buffer_size");
|
||||||
dpd_match_only_beginning = opt_internal_int("dpd_match_only_beginning");
|
dpd_match_only_beginning = opt_internal_int("dpd_match_only_beginning");
|
||||||
|
dpd_late_match_stop = opt_internal_int("dpd_late_match_stop");
|
||||||
dpd_ignore_ports = opt_internal_int("dpd_ignore_ports");
|
dpd_ignore_ports = opt_internal_int("dpd_ignore_ports");
|
||||||
|
|
||||||
likely_server_ports = internal_val("likely_server_ports")->AsTableVal();
|
likely_server_ports = internal_val("likely_server_ports")->AsTableVal();
|
||||||
|
|
|
||||||
|
|
@ -166,6 +166,7 @@ extern RecordType* irc_join_info;
|
||||||
extern int dpd_reassemble_first_packets;
|
extern int dpd_reassemble_first_packets;
|
||||||
extern int dpd_buffer_size;
|
extern int dpd_buffer_size;
|
||||||
extern int dpd_match_only_beginning;
|
extern int dpd_match_only_beginning;
|
||||||
|
extern int dpd_late_match_stop;
|
||||||
extern int dpd_ignore_ports;
|
extern int dpd_ignore_ports;
|
||||||
|
|
||||||
extern TableVal* likely_server_ports;
|
extern TableVal* likely_server_ports;
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
#include "PIA.h"
|
#include "PIA.h"
|
||||||
#include "RuleMatcher.h"
|
#include "RuleMatcher.h"
|
||||||
|
#include "Event.h"
|
||||||
#include "analyzer/protocol/tcp/TCP_Flags.h"
|
#include "analyzer/protocol/tcp/TCP_Flags.h"
|
||||||
#include "analyzer/protocol/tcp/TCP_Reassembler.h"
|
#include "analyzer/protocol/tcp/TCP_Reassembler.h"
|
||||||
|
|
||||||
|
|
@ -144,6 +145,20 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
|
||||||
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
|
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
|
||||||
// FIXME: This is where to check whether an analyzer
|
// FIXME: This is where to check whether an analyzer
|
||||||
// supports partial connections once we get such.
|
// supports partial connections once we get such.
|
||||||
|
|
||||||
|
if ( protocol_late_match )
|
||||||
|
{
|
||||||
|
// Queue late match event
|
||||||
|
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
|
||||||
|
Ref(tval);
|
||||||
|
|
||||||
|
val_list *vl = new val_list;
|
||||||
|
vl->append(BuildConnVal());
|
||||||
|
vl->append(tval);
|
||||||
|
mgr.QueueEvent(protocol_late_match, vl);
|
||||||
|
}
|
||||||
|
|
||||||
|
pkt_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -279,6 +294,20 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
|
||||||
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
|
DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded");
|
||||||
// FIXME: This is where to check whether an analyzer supports
|
// FIXME: This is where to check whether an analyzer supports
|
||||||
// partial connections once we get such.
|
// partial connections once we get such.
|
||||||
|
|
||||||
|
if ( protocol_late_match )
|
||||||
|
{
|
||||||
|
// Queue late match event
|
||||||
|
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
|
||||||
|
Ref(tval);
|
||||||
|
|
||||||
|
val_list *vl = new val_list;
|
||||||
|
vl->append(BuildConnVal());
|
||||||
|
vl->append(tval);
|
||||||
|
mgr.QueueEvent(protocol_late_match, vl);
|
||||||
|
}
|
||||||
|
|
||||||
|
stream_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -369,6 +369,20 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
|
||||||
## there (and thus in ``conn.log``).
|
## there (and thus in ``conn.log``).
|
||||||
event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
|
event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
|
||||||
|
|
||||||
|
## Generated if a DPD signature matched but the DPD buffer is already exhausted
|
||||||
|
## and thus the analyzer could not be attached. While this does not confirm
|
||||||
|
## that a protocol is actually used, it allows to retain that information.
|
||||||
|
##
|
||||||
|
## c: The connection.
|
||||||
|
##
|
||||||
|
## atype: The type of the analyzer confirming that its protocol is in
|
||||||
|
## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example,
|
||||||
|
## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed
|
||||||
|
## parsing an HTTP connection.
|
||||||
|
##
|
||||||
|
## .. bro:see:: dpd_buffer_size
|
||||||
|
event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
|
||||||
|
|
||||||
## Generated when a protocol analyzer determines that a connection it is parsing
|
## Generated when a protocol analyzer determines that a connection it is parsing
|
||||||
## is not conforming to the protocol it expects. Zeek's dynamic protocol
|
## is not conforming to the protocol it expects. Zeek's dynamic protocol
|
||||||
## detection heuristically activates analyzers as soon as it believes a
|
## detection heuristically activates analyzers as soon as it believes a
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue