Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add speculative service script.

Browse source 
The speculative service script handles dpd_late_match events to extend
conn.log with infos about potential protocol identifications.
This commit is contained in:
Jan Grashoefer 2019-08-29 11:47:04 +02:00
parent 5901b6d33c
commit 788b56a652
4 changed files with 51 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
scripts/policy/protocols/conn/speculative-service.zeek Normal file
View file

@ -0,0 +1,34 @@
##! This script adds information about matched DPD signatures to the connection
##! log.
@load base/protocols/conn
module Conn;
redef record Info += {
## Protocol that was determined by a matching signature after the beginning
## of a connection. In this situation no analyzer can be attached and hence
## the data cannot be analyzed nor the protocol can be confirmed.
speculative_service: string &log &optional;
};
redef record connection += {
speculative_service: set[string] &default=string_set();
};
redef dpd_match_only_beginning = F;
redef dpd_late_match_stop = T;
event protocol_late_match(c: connection, atype: Analyzer::Tag)
{
local analyzer = Analyzer::name(atype);
add c$speculative_service[analyzer];
}
event connection_state_remove(c: connection)
{
local sp_service = "";
for ( s in c$speculative_service )
sp_service = sp_service == "" ? s : cat(sp_service, ",", s);
c$conn$speculative_service = to_lower(sp_service);
}

11
testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2019-08-29-09-45-13
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents speculative_service
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string
1567010592.624680 CHhAvVGS1DHFjwGM9 127.0.0.1 37526 127.0.0.1 80 tcp http 0.008395 61907 60478 SF - - 0 ShADadfF 10 62435 9 60954 - http
1567010639.143657 ClEkJM2Vm5giqnMf4h 127.0.0.1 60644 127.0.0.1 5000 tcp - 0.015853 61917 60478 SF - - 0 ShADadfF 10 62445 9 60954 - http
#close 2019-08-29-09-45-13

BIN
testing/btest/Traces/http/http-post-large.pcap Normal file
View file

Binary file not shown.

6
testing/btest/scripts/policy/protocols/conn/speculative-service.zeek Normal file
View file

@ -0,0 +1,6 @@
# A basic test of the speculative service detection
# @TEST-EXEC: zeek -C -r $TRACES/http/http-post-large.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
@load protocols/conn/speculative-service