Merge remote-tracking branch 'origin/topic/jsiwek/gh-646-conn-removal'

Clarified doc strings a bit. * origin/topic/jsiwek/gh-646-conn-removal: GH-646: add new "successful_connection_remove" event
2025-10-15 04:58:21 +00:00 · 2019-11-18 11:44:22 +00:00 · 2019-11-18 11:44:22 +00:00 · a00f139f1c
commit a00f139f1c
parent 620b789126 31f60853c9
51 changed files with 596 additions and 379 deletions
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@ -144,7 +144,7 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	register_all(e);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c$id in active )
 		close(active[c$id], CLOSE);
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -419,6 +419,11 @@ type connection: record {

 	## The inner VLAN, if applicable for this connection.
 	inner_vlan: int &optional;
+
+        ## Flag that will be true if :zeek:see:`connection_successful` has
+        ## already been generated for the connection. See the documentation of
+        ## that event for a definition of what makes a connection "succesful".
+	successful: bool;
 };

 ## Default amount of time a file can be inactive before the file analysis
@ -2579,7 +2584,7 @@ export {
 		negotiate_lm_key       : bool;
 		## If set, requests connectionless authentication
 		negotiate_datagram     : bool;
-		## If set, requests session key negotiation for message 
+		## If set, requests session key negotiation for message
 		## confidentiality
 		negotiate_seal         : bool;
 		## If set, requests session key negotiation for message
@ -2767,7 +2772,7 @@ export {
 		## The server supports compressed data transfer. Requires bulk_transfer.
 		## Note: No known implementations support this
 		compressed_data	   : bool;
-		## The server supports extended security exchanges	
+		## The server supports extended security exchanges
 		extended_security  : bool;
 	};

@ -2860,7 +2865,7 @@ export {
 	};

 	type SMB1::NegotiateResponse: record {
-		## If the server does not understand any of the dialect strings, or if 
+		## If the server does not understand any of the dialect strings, or if
 		## PC NETWORK PROGRAM 1.0 is the chosen dialect.
 		core	: SMB1::NegotiateResponseCore 	&optional;
 		## If the chosen dialect is greater than core up to and including
@ -2911,7 +2916,7 @@ export {
 		## If challenge/response auth is not being used, this is the password.
 		## Otherwise, it's the response to the server's challenge.
 		## Note: Only set for pre NT LM 0.12
-		account_password	  : string &optional;		
+		account_password	  : string &optional;
 		## Client's primary domain, if known
 		## Note: not set for NT LM 0.12 with extended security
 		primary_domain		  : string &optional;
@ -2929,7 +2934,7 @@ export {
 		## Note: only set for NT LM 0.12
 		capabilities		  : SMB1::SessionSetupAndXCapabilities &optional;
 	};
-	
+
 	type SMB1::SessionSetupAndXResponse: record {
 		## Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
 		word_count	: count;
@ -3994,7 +3999,7 @@ type bt_tracker_headers: table[string] of string;
 ## for a range of modbus coils.
 type ModbusCoils: vector of bool;

-## A vector of count values that represent 16bit modbus 
+## A vector of count values that represent 16bit modbus
 ## register values.
 type ModbusRegisters: vector of count;

--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -300,6 +300,11 @@ event connection_state_remove(c: connection) &priority=5

 event connection_state_remove(c: connection) &priority=-5
 	{
-	Log::write(Conn::LOG, c$conn);
+	if ( ! c$successful )
+		Log::write(Conn::LOG, c$conn);
 	}

+event successful_connection_remove(c: connection) &priority=-5
+	{
+	Log::write(Conn::LOG, c$conn);
+	}
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -209,7 +209,7 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
 		}
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	if ( ! c?$dce_rpc )
 		return;
--- a/scripts/base/protocols/dnp3/main.zeek
+++ b/scripts/base/protocols/dnp3/main.zeek
@ -63,7 +63,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application
 	delete c$dnp3;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$dnp3 )
 		return;
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@ -571,7 +571,7 @@ event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 		c$dns$rejected = T;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$dns_state )
 		return;
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@ -322,7 +322,7 @@ event connection_reused(c: connection) &priority=5
 		c$ftp_data_reuse = T;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c$ftp_data_reuse ) return;
 	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
@ -334,8 +334,8 @@ event connection_state_remove(c: connection) &priority=-5
 		}
 	}

-# Use state remove event to cover connections terminated by RST.
-event connection_state_remove(c: connection) &priority=-5
+# Use remove event to cover connections terminated by RST.
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$ftp ) return;

--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@ -321,7 +321,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	# Flush all pending but incomplete request/response pairs.
 	if ( c?$http_state )
--- a/scripts/base/protocols/irc/dcc-send.zeek
+++ b/scripts/base/protocols/irc/dcc-send.zeek
@ -124,7 +124,7 @@ event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 		add c$service["irc-dcc-data"];
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] in dcc_expected_transfers )
 		{
--- a/scripts/base/protocols/krb/files.zeek
+++ b/scripts/base/protocols/krb/files.zeek
@ -118,7 +118,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response)
 	fill_in_subjects(c);
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	fill_in_subjects(c);
 	}
--- a/scripts/base/protocols/krb/main.zeek
+++ b/scripts/base/protocols/krb/main.zeek
@ -228,7 +228,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	do_log(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	do_log(c);
 	}
--- a/scripts/base/protocols/mysql/main.zeek
+++ b/scripts/base/protocols/mysql/main.zeek
@ -122,7 +122,7 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$mysql )
 		{
--- a/scripts/base/protocols/ntlm/main.zeek
+++ b/scripts/base/protocols/ntlm/main.zeek
@ -106,7 +106,7 @@ event gssapi_neg_result(c: connection, state: count) &priority=-3
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$ntlm && ! c$ntlm$done )
 		{
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@ -138,7 +138,7 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=-5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$radius && ! c$radius$logged )
 		{
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -272,7 +272,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason
 		write_log(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	# If the connection is removed, then log the record immediately.
 	if ( c?$rdp )
--- a/scripts/base/protocols/rfb/main.zeek
+++ b/scripts/base/protocols/rfb/main.zeek
@ -151,7 +151,7 @@ event rfb_share_flag(c: connection, flag: bool) &priority=5
 	c$rfb$share_flag = flag;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$rfb )
 		{
--- a/scripts/base/protocols/sip/main.zeek
+++ b/scripts/base/protocols/sip/main.zeek
@ -289,7 +289,7 @@ event sip_end_entity(c: connection, is_request: bool) &priority = -5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$sip_state )
 		{
--- a/scripts/base/protocols/smtp/main.zeek
+++ b/scripts/base/protocols/smtp/main.zeek
@ -298,7 +298,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$path += ip;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$smtp )
 		smtp_message(c);
--- a/scripts/base/protocols/snmp/main.zeek
+++ b/scripts/base/protocols/snmp/main.zeek
@ -93,7 +93,7 @@ function init_state(c: connection, h: SNMP::Header): Info
 	}


-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$snmp )
 		Log::write(LOG, c$snmp);
--- a/scripts/base/protocols/socks/main.zeek
+++ b/scripts/base/protocols/socks/main.zeek
@ -111,7 +111,7 @@ event socks_login_userpass_reply(c: connection, code: count) &priority=5
 	c$socks$status = v5_status[code];
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	# This will handle the case where the analyzer failed in some way and was
 	# removed.  We probably  don't want to log these connections.
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@ -247,7 +247,7 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	if ( c?$ssh && !c$ssh$logged )
 		{
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -329,13 +329,13 @@ event ssl_established(c: connection) &priority=-5
 	finish(c, T);
 	}

-event connection_state_remove(c: connection) &priority=20
+event successful_connection_remove(c: connection) &priority=20
 	{
 	if ( c?$ssl && ! c$ssl$logged )
 		hook ssl_finishing(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
 		# called in case a SSL connection that has not been established terminates