diff --git a/scripts/base/frameworks/analyzer/dpd.zeek b/scripts/base/frameworks/analyzer/dpd.zeek index c28c80e8b0..2f637ea903 100644 --- a/scripts/base/frameworks/analyzer/dpd.zeek +++ b/scripts/base/frameworks/analyzer/dpd.zeek @@ -1,31 +1,8 @@ -##! Activates port-independent protocol detection and selectively disables -##! analyzers if protocol violations occur. +##! Disables analyzers if protocol violations occur. module DPD; export { - ## Add the DPD logging stream identifier. - redef enum Log::ID += { LOG }; - - ## A default logging policy hook for the stream. - global log_policy: Log::PolicyHook; - - ## The record type defining the columns to log in the DPD logging stream. - type Info: record { - ## Timestamp for when protocol analysis failed. - ts: time &log; - ## Connection unique ID. - uid: string &log; - ## Connection ID containing the 4-tuple which identifies endpoints. - id: conn_id &log; - ## Transport protocol for the violation. - proto: transport_proto &log; - ## The analyzer that generated the violation. - analyzer: string &log; - ## The textual reason for the analysis failure. - failure_reason: string &log; - }; - ## Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details option max_violations: table[Analyzer::Tag] of count = table() &deprecated="Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200" &default = 5; @@ -45,17 +22,11 @@ export { } redef record connection += { - dpd: Info &optional; ## The set of services (analyzers) for which Zeek has observed a ## violation after the same service had previously been confirmed. service_violation: set[string] &default=set() &ordered; }; -event zeek_init() &priority=5 - { - Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]); - } - event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10 { if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) @@ -94,28 +65,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI return; add c$service_violation[analyzer]; - - local dpd: Info; - dpd$ts = network_time(); - dpd$uid = c$uid; - dpd$id = c$id; - dpd$proto = get_port_transport_proto(c$id$orig_p); - dpd$analyzer = analyzer; - - # Encode data into the reason if there's any as done for the old - # analyzer_violation event, previously. - local reason = info$reason; - if ( info?$data ) - { - local ellipsis = |info$data| > 40 ? "..." : ""; - local data = info$data[0:40]; - reason = fmt("%s [%s%s]", reason, data, ellipsis); - } - - dpd$failure_reason = reason; - c$dpd = dpd; } + event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=5 { if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) @@ -145,17 +97,3 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI } -event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5 - { - if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) - return; - - if ( ! info?$c ) - return; - - if ( info$c?$dpd ) - { - Log::write(DPD::LOG, info$c$dpd); - delete info$c$dpd; - } - } diff --git a/scripts/policy/frameworks/analyzer/dpd-log.zeek b/scripts/policy/frameworks/analyzer/dpd-log.zeek new file mode 100644 index 0000000000..0c4248281f --- /dev/null +++ b/scripts/policy/frameworks/analyzer/dpd-log.zeek @@ -0,0 +1,92 @@ +##! Creates the now deprecated dpd.logfile. +# Remove in v8.1 + +@deprecated("dpd.log is deprecated; remove in 8.1") + +module DPD; + +export { + ## Add the DPD logging stream identifier. + redef enum Log::ID += { LOG }; + + ## A default logging policy hook for the stream. + global log_policy: Log::PolicyHook; + + ## The record type defining the columns to log in the DPD logging stream. + type Info: record { + ## Timestamp for when protocol analysis failed. + ts: time &log; + ## Connection unique ID. + uid: string &log; + ## Connection ID containing the 4-tuple which identifies endpoints. + id: conn_id &log; + ## Transport protocol for the violation. + proto: transport_proto &log; + ## The analyzer that generated the violation. + analyzer: string &log; + ## The textual reason for the analysis failure. + failure_reason: string &log; + }; +} + +redef record connection += { + dpd: Info &optional; +}; + +event zeek_init() &priority=5 + { + Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]); + } + +# Runs before the same event handler in base/frameworks/analyzer/dpd.zeek +event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=15 + { + if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) + return; + + if ( ! info?$c ) + return; + + local c = info$c; + local analyzer = Analyzer::name(atype); + # If the service hasn't been confirmed yet, or already failed, + # don't generate a log message for the protocol violation. + if ( analyzer !in c$service || analyzer in c$service_violation ) + return; + + local dpd: Info; + dpd$ts = network_time(); + dpd$uid = c$uid; + dpd$id = c$id; + dpd$proto = get_port_transport_proto(c$id$orig_p); + dpd$analyzer = analyzer; + + # Encode data into the reason if there's any as done for the old + # analyzer_violation event, previously. + local reason = info$reason; + if ( info?$data ) + { + local ellipsis = |info$data| > 40 ? "..." : ""; + local data = info$data[0:40]; + reason = fmt("%s [%s%s]", reason, data, ellipsis); + } + + dpd$failure_reason = reason; + c$dpd = dpd; + } + +event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5 + { + if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) + return; + + if ( ! info?$c ) + return; + + if ( info$c?$dpd ) + { + Log::write(DPD::LOG, info$c$dpd); + delete info$c$dpd; + } + } +