From 6e54d6c095a41d8fa7e02ca592482b4bcf7c2514 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 11 Aug 2022 13:32:19 +0200 Subject: [PATCH] Add NEWS entry and zeekygen-smithing for disabling_analyzer() --- NEWS | 10 ++++++++++ scripts/base/init-bare.zeek | 5 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 9d2c25dba4..96f86230a8 100644 --- a/NEWS +++ b/NEWS @@ -45,6 +45,16 @@ New Functionality For further details on the framework and examples, please refer to the Zeek documentation. +- Introduce a global ``disabling_analyzer()`` hook to allow vetoing calls + to ``disable_analyzer()``. + + The contract is simple: Any script can veto a ``disable_analyzer()`` call by + breaking from this hook. The decision is local to the script taking into + account any state attached to the connection or state stored elsewhere. + A script breaking from the hook takes over responsibility to call + ``disable_analyzer()`` at a later point when it finds the condition due + to which it vetoed fulfilled (which may be never). + Changed Functionality --------------------- diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index cd1914cea3..2651537acd 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -585,8 +585,9 @@ type fa_metadata: record { }; ## A hook taking a connection, analyzer tag and analyzer id that can be -## used to veto disabling analyzers. This hook is invoked synchronously -## during a :zeek:see:`disable_analyzer` call. +## used to veto disabling analyzers. Specifically, an analyzer can be prevented +## from being disabled by using a :zeek:see:`break` statement within the hook. +## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call. ## ## Scripts implementing this hook should have other logic that will eventually ## disable the analyzer for the given connection. That is, if a script vetoes