mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Remove variable content from weird names
This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
This commit is contained in:
Jon Siwek
parent
956674745b
commit
995368e68c
47 changed files with 289 additions and 152 deletions
|
|
@ -17,7 +17,7 @@ using namespace analyzer::rpc;
|
|||
int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
|
||||
{
|
||||
if ( c->Program() != 100003 )
|
||||
Weird(fmt("bad_RPC_program (%d)", c->Program()));
|
||||
Weird("bad_RPC_program", fmt("%d", c->Program()));
|
||||
|
||||
uint32 proc = c->Proc();
|
||||
// The call arguments, depends on the call type obviously ...
|
||||
|
|
@ -103,7 +103,7 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
|
|||
n = 0;
|
||||
}
|
||||
else
|
||||
Weird(fmt("unknown_NFS_request(%u)", proc));
|
||||
Weird("unknown_NFS_request", fmt("%u", proc));
|
||||
|
||||
// Return 1 so that replies to unprocessed calls will still
|
||||
// be processed, and the return status extracted.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue