Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Make tunnel_parents in conn.log optional.

Browse source 
This makes conn.logs a bit prettier (and smaller) because all lines that
do not use a tunnel will now have a "-" instead of the "(empty)" for
tunnel_parents.
This commit is contained in:
Johanna Amann 2018-01-12 13:25:21 -08:00
parent bdb7f62335
commit 6f9524e082
60 changed files with 1881 additions and 1877 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/protocols/conn/main.bro
View file

@ -116,7 +116,7 @@ export {
## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections
## used over the lifetime of this inner connection.
tunnel_parents: set[string] &log;
tunnel_parents: set[string] &log &optional;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
@ -207,7 +207,11 @@ function set_conn(c: connection, eoc: bool)
c$conn$uid=c$uid;
c$conn$id=c$id;
if ( c?$tunnel && |c$tunnel| > 0 )
{
if ( ! c$conn?$tunnel_parents )
c$conn$tunnel_parents = set();
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
}
c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 )
{
@ -253,7 +257,11 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
set_conn(c, F);
if ( |e| > 0 )
{
if ( ! c$conn?$tunnel_parents )
c$conn$tunnel_parents = set();
add c$conn$tunnel_parents[e[|e|-1]$uid];
}
c$tunnel = e;
}