Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

More adjustment to reduce Weird volumes.

Browse source 
- New script extracted from weird.bro to implement the
  connection related "weird" data into an optionally
  loaded script.

- Adjusted the default notice tuning to stop ignoring
  the connection related weirds since they aren't loaded
  by default anymore.
This commit is contained in:
Seth Hall 2011-10-04 13:58:55 -04:00
parent 04a9a0dc38
commit 5a04190ffe
3 changed files with 61 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

47
scripts/base/frameworks/notice/weird.bro
View file

@ -10,12 +10,6 @@ export {
redef enum Notice::Type += {
## Generic unusual but alarm-worthy activity.
Weird_Activity,
## Possible evasion; usually just chud.
Retransmission_Inconsistency,
## Could mean packet drop; could also be chud.
Ack_Above_Hole,
## Data has sequence hole; perhaps due to filtering.
Content_Gap,
};
type Info: record {
@ -383,47 +377,6 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
report_weird(t, name, id, F, "", action, no_log);
}
event conn_weird(name: string, c: connection, addl: string)
{
report_weird_conn(network_time(), name, id_string(c$id), addl, c);
}
event flow_weird(name: string, src: addr, dst: addr)
{
report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
}
event net_weird(name: string)
{
report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
}
event rexmit_inconsistency(c: connection, t1: string, t2: string)
{
if ( c$id !in did_inconsistency_msg )
{
NOTICE([$note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s)",
id_string(c$id), t1, t2)]);
add did_inconsistency_msg[c$id];
}
}
event ack_above_hole(c: connection)
{
NOTICE([$note=Ack_Above_Hole, $conn=c,
$msg=fmt("%s ack above a hole", id_string(c$id))]);
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
NOTICE([$note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)%s",
id_string(c$id), is_orig ? ">" : "<", seq, length,
is_external_connection(c) ? " [external]" : "")]);
}
event connection_state_remove(c: connection)
{
delete weird_ignore[id_string(c$id)];