Add policy script to remove ip_proto field, rename protocol naming script

2025-10-17 05:58:20 +00:00 · 2024-11-08 14:58:37 -07:00 · 2024-11-08 14:58:37 -07:00 · 623fea9014
commit 623fea9014
parent 5e5aceb6f7
5 changed files with 18 additions and 4 deletions
--- a/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek
+++ b/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek
@ -0,0 +1,11 @@
+##! This script filters the ip_proto field out of the conn.log and disables
+##! logging of connections with unknown IP protocols.
+
+@load base/protocols/conn
+@load base/frameworks/analyzer/main
+
+redef record Conn::Info$ip_proto -= { &log };
+
+event zeek_init() {
+	Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT);
+}
--- a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
+++ b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
@ -1,4 +1,6 @@
-##! This script adds a string version of the ip_proto field
+##! This script adds a string version of the ip_proto field. It's not recommended
+##! to load this policy and the ip_proto removal policy at the same time, as
+##! conn.log will end up with useless information in the log from this field.

@load base/protocols/conn