Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

More adjustment to reduce Weird volumes.

Browse source 
- New script extracted from weird.bro to implement the
  connection related "weird" data into an optionally
  loaded script.

- Adjusted the default notice tuning to stop ignoring
  the connection related weirds since they aren't loaded
  by default anymore.
This commit is contained in:
Seth Hall 2011-10-04 13:58:55 -04:00
parent 04a9a0dc38
commit 5a04190ffe
3 changed files with 61 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

47
scripts/base/frameworks/notice/weird.bro
View file

@ -10,12 +10,6 @@ export {
redef enum Notice::Type += { redef enum Notice::Type += {
## Generic unusual but alarm-worthy activity. ## Generic unusual but alarm-worthy activity.
Weird_Activity, Weird_Activity,
## Possible evasion; usually just chud.
Retransmission_Inconsistency,
## Could mean packet drop; could also be chud.
Ack_Above_Hole,
## Data has sequence hole; perhaps due to filtering.
Content_Gap,
}; };
type Info: record { type Info: record {
@ -383,47 +377,6 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
report_weird(t, name, id, F, "", action, no_log); report_weird(t, name, id, F, "", action, no_log);
} }
event conn_weird(name: string, c: connection, addl: string)
{
report_weird_conn(network_time(), name, id_string(c$id), addl, c);
}
event flow_weird(name: string, src: addr, dst: addr)
{
report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
}
event net_weird(name: string)
{
report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
}
event rexmit_inconsistency(c: connection, t1: string, t2: string)
{
if ( c$id !in did_inconsistency_msg )
{
NOTICE([$note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s)",
id_string(c$id), t1, t2)]);
add did_inconsistency_msg[c$id];
}
}
event ack_above_hole(c: connection)
{
NOTICE([$note=Ack_Above_Hole, $conn=c,
$msg=fmt("%s ack above a hole", id_string(c$id))]);
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
NOTICE([$note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)%s",
id_string(c$id), is_orig ? ">" : "<", seq, length,
is_external_connection(c) ? " [external]" : "")]);
}
event connection_state_remove(c: connection) event connection_state_remove(c: connection)
{ {
delete weird_ignore[id_string(c$id)]; delete weird_ignore[id_string(c$id)];

61
scripts/policy/protocols/conn/weirds.bro Normal file
View file

@ -0,0 +1,61 @@
##! This script handles core generated connection related "weird" events to
##! push weird information about connections into the weird framework.
##! For live operational deployments, this can frequently cause load issues
##! due to large numbers of these events being passed between nodes.
@load base/frameworks/notice
module Weird;
export {
redef enum Notice::Type += {
## Possible evasion; usually just chud.
Retransmission_Inconsistency,
## Could mean packet drop; could also be chud.
Ack_Above_Hole,
## Data has sequence hole; perhaps due to filtering.
Content_Gap,
};
}
event conn_weird(name: string, c: connection, addl: string)
{
report_weird_conn(network_time(), name, id_string(c$id), addl, c);
}
event flow_weird(name: string, src: addr, dst: addr)
{
report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
}
event net_weird(name: string)
{
report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
}
event rexmit_inconsistency(c: connection, t1: string, t2: string)
{
if ( c$id !in did_inconsistency_msg )
{
NOTICE([$note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s)",
id_string(c$id), t1, t2)]);
add did_inconsistency_msg[c$id];
}
}
event ack_above_hole(c: connection)
{
NOTICE([$note=Ack_Above_Hole, $conn=c,
$msg=fmt("%s ack above a hole", id_string(c$id))]);
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
NOTICE([$note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)%s",
id_string(c$id), is_orig ? ">" : "<", seq, length,
is_external_connection(c) ? " [external]" : "")]);
}

4
scripts/policy/tuning/defaults/remove-high-volume-notices.bro
View file

@ -4,11 +4,7 @@
@load base/frameworks/notice @load base/frameworks/notice
@load base/frameworks/notice/weird @load base/frameworks/notice/weird
# Remove these notices from logging since they can be too noisy.
redef Notice::ignored_types += { redef Notice::ignored_types += {
Weird::Content_Gap,
Weird::Ack_Above_Hole,
Weird::Retransmission_Inconsistency,
## Only allow these to go in the weird log. ## Only allow these to go in the weird log.
Weird::Weird_Activity, Weird::Weird_Activity,
}; };