add multiprotocol known_services when Known::use_service_store = F

2025-10-02 06:38:20 +00:00 · 2019-07-25 16:40:55 +02:00 · 2019-07-25 16:40:55 +02:00 · 9faabe9991
commit 9faabe9991
parent 9698d8d7cc
1 changed files with 37 additions and 11 deletions
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@ -62,11 +62,11 @@ export {
 	## of duplicates, but can also be inspected by other scripts for
 	## different purposes.
 	##
-	## In cluster operation, this set is uniformly distributed across
+	## In cluster operation, this table is uniformly distributed across
 	## proxy nodes.
 	##
-	## This set is automatically populated and shouldn't be directly modified.
-	global services: set[addr, port] &create_expire=1day;
+	## This table is automatically populated and shouldn't be directly modified.
+	global services: table[addr, port] of set[string] &create_expire=1day;

 	## Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
 	## record as it is sent on to the logging framework.
@ -79,6 +79,24 @@ redef record connection += {
 	known_services_done: bool &default=F;
 };

+# Check if the triplet (host,port_num,service) is already in Known::services
+function check(info: ServicesInfo) : bool
+{
+
+        if ( [info$host, info$port_num] !in Known::services ) 
+                return F;
+
+	if ( |info$service| == 0 )
+		return T;  # don't log empty service
+
+        for(s in info$service)
+                {
+                if ( s !in Known::services[info$host, info$port_num] )
+                        return F;
+                }
+
+        return T;
+}

 event zeek_init()
 	{
@ -89,7 +107,6 @@ event zeek_init()
 	}

 event service_info_commit(info: ServicesInfo)
-                          
 	{
 	if ( ! Known::use_service_store )
 		return;
@ -119,10 +136,19 @@ event known_service_add(info: ServicesInfo)
 	if ( Known::use_service_store )
 		return;

-	if ( [info$host, info$port_num] in Known::services )
-		return;
+        if ( check(info) )
+                return;

-	add Known::services[info$host, info$port_num];
+	if([info$host, info$port_num] !in Known::services) 
+		Known::services[info$host, info$port_num] = set();
+	
+	for(s in info$service)
+		{
+		if ( s !in Known::services[info$host, info$port_num] )
+			{
+			add Known::services[info$host, info$port_num][s];
+			}
+		}

 	@if ( ! Cluster::is_enabled() ||
 	      Cluster::local_node_type() == Cluster::PROXY )
@ -139,7 +165,7 @@ event Cluster::node_up(name: string, id: string)
 		return;

 	# Drop local suppression cache on workers to force HRW key repartitioning.
-	Known::services = set();
+	Known::services = table();
 	}

 event Cluster::node_down(name: string, id: string)
@ -151,7 +177,7 @@ event Cluster::node_down(name: string, id: string)
 		return;

 	# Drop local suppression cache on workers to force HRW key repartitioning.
-	Known::services = set();
+	Known::services = table();
 	}

 event service_info_commit(info: ServicesInfo)
@ -159,10 +185,10 @@ event service_info_commit(info: ServicesInfo)
 	if ( Known::use_service_store )
 		return;

-	if ( [info$host, info$port_num] in Known::services )
+	if ( check(info) )
 		return;

-	local key = cat(info$host, info$port_num);
+	local key = cat(info$host, info$port_num, info$service);
 	Cluster::publish_hrw(Cluster::proxy_pool, key, known_service_add, info);
 	event known_service_add(info);
 	}