Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Resolve conflicts for cherry-pick to 7.0

Browse source
This commit is contained in:
Arne Welzel 2025-07-02 14:48:43 +02:00
parent dd447c3f15
commit a5c4ae4291
32 changed files with 92 additions and 467 deletions
Download patch file Download diff file Expand all files Collapse all files

276
scripts/base/init-bare.zeek
View file

@ -388,264 +388,6 @@ type endpoint_stats: record {
endian_type: count;
};
<<<<<<< HEAD
=======
## Record containing information about a tag.
##
## .. zeek:see:: get_tags_by_category
type tag_component: record {
name: string;
canonical_name: string;
tag: string;
enabled: bool;
};
type tag_component_vec : vector of tag_component;
## Arguments given to Zeek from the command line. In order to use this, Zeek
## must use a ``--`` command line argument immediately followed by a script
## file and additional arguments after that. For example::
##
## zeek --bare-mode -- myscript.zeek -a -b -c
##
## To use Zeek as an executable interpreter, include a line at the top of a script
## like the following and make the script executable::
##
## #!/usr/local/zeek/bin/zeek --
const zeek_script_args: vector of string = vector();
## BPF filter the user has set via the -f command line options. Empty if none.
const cmd_line_bpf_filter = "" &redef;
## Base time of log rotations in 24-hour time format (``%H:%M``), e.g. "12:00".
const log_rotate_base_time = "0:00" &redef;
## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
## and not report missing segments for such connections.
## If this is enabled, then missing data at the end of connections may not
## be reported via :zeek:see:`content_gap`.
const detect_filtered_trace = F &redef;
## Whether we want :zeek:see:`content_gap` for partial
## connections. A connection is partial if it is missing a full handshake. Note
## that gap reports for partial connections might not be reliable.
##
## .. zeek:see:: content_gap partial_connection
const report_gaps_for_partial = F &redef;
## Flag to prevent Zeek from exiting automatically when input is exhausted.
## Normally Zeek terminates when all packet sources have gone dry
## and communication isn't enabled. If this flag is set, Zeek's main loop will
## instead keep idling until :zeek:see:`terminate` is explicitly called.
##
## This is mainly for testing purposes when termination behaviour needs to be
## controlled for reproducing results.
const exit_only_after_terminate = F &redef;
## Default mode for Zeek's user-space dynamic packet filter. If true, packets
## that aren't explicitly allowed through, are dropped from any further
## processing.
##
## .. note:: This is not the BPF packet filter but an additional dynamic filter
## that Zeek optionally applies just before normal processing starts.
##
## .. zeek:see:: install_dst_addr_filter install_dst_net_filter
## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter
## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
const packet_filter_default = F &redef;
## Maximum size of regular expression groups for signature matching.
const sig_max_group_size = 50 &redef;
## Description transmitted to remote communication peers for identification.
const peer_description = "zeek" &redef;
## Reassemble the beginning of all TCP connections before doing
## signature matching. Enabling this provides more accurate matching at the
## expense of CPU cycles.
##
## .. zeek:see:: dpd_buffer_size
## dpd_match_only_beginning dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
## only signatures used for dynamic protocol detection.
const dpd_reassemble_first_packets = T &redef;
## Size of per-connection buffer used for dynamic protocol detection. For each
## connection, Zeek buffers this initial amount of payload in memory so that
## complete protocol analysis can start even after the initial packets have
## already passed through (i.e., when a DPD signature matches only later).
## However, once the buffer is full, data is deleted and lost to analyzers that
## are activated afterwards. Then only analyzers that can deal with partial
## connections will be able to analyze the session.
##
## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
## dpd_ignore_ports dpd_max_packets
const dpd_buffer_size = 1024 &redef;
## Maximum number of per-connection packets that will be buffered for dynamic
## protocol detection. For each connection, Zeek buffers up to this amount
## of packets in memory so that complete protocol analysis can start even after
## the initial packets have already passed through (i.e., when a DPD signature
## matches only later). However, once the buffer is full, data is deleted and lost
## to analyzers that are activated afterwards. Then only analyzers that can deal
## with partial connections will be able to analyze the session.
##
## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
## dpd_ignore_ports dpd_buffer_size
const dpd_max_packets = 100 &redef;
## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been
## reached.
##
## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
## only signatures used for dynamic protocol detection.
const dpd_match_only_beginning = T &redef;
## If true, stops signature matching after a late match. A late match may occur
## in case the DPD buffer is exhausted but a protocol signature matched. To
## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
##
## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning
##
## .. note:: Despite the name, this option stops *all* signature matching, not
## only signatures used for dynamic protocol detection but is triggered by
## DPD signatures only.
const dpd_late_match_stop = F &redef;
## If true, don't consider any ports for deciding which protocol analyzer to
## use.
##
## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning
const dpd_ignore_ports = F &redef;
## Ports which the core considers being likely used by servers. For ports in
## this set, it may heuristically decide to flip the direction of the
## connection if it misses the initial handshake.
const likely_server_ports: set[port] &redef;
## Holds the filename of the trace file given with ``-w`` (empty if none).
##
## .. zeek:see:: record_all_packets
const trace_output_file = "";
## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
## By default, Zeek applies (very few) heuristics to reduce the volume. A side
## effect of setting this to true is that we can write the packets out before we
## actually process them, which can be helpful for debugging in case the
## analysis triggers a crash.
##
## .. zeek:see:: trace_output_file
const record_all_packets = F &redef;
## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`. Some
## connections (e.g., SSH) retransmit the acknowledged last byte to keep the
## connection alive. If *ignore_keep_alive_rexmit* is set to true, such
## retransmissions will be excluded in the rexmit counter in
## :zeek:see:`conn_stats`.
##
## .. zeek:see:: conn_stats
const ignore_keep_alive_rexmit = F &redef;
## Seed for hashes computed internally for probabilistic data structures. Using
## the same value here will make the hashes compatible between independent Zeek
## instances. If left unset, Zeek will use a temporary local seed.
const global_hash_seed: string = "" &redef;
## Number of bits in UIDs that are generated to identify connections and
## files. The larger the value, the more confidence in UID uniqueness.
## The maximum is currently 128 bits.
const bits_per_uid: count = 96 &redef;
## This salt value is used for several message digests in Zeek. We
## use a salt to help mitigate the possibility of an attacker
## manipulating source data to, e.g., mount complexity attacks or
## cause ID collisions.
## This salt is, for example, used by :zeek:see:`get_file_handle`
## to generate installation-unique file IDs (the *id* field of :zeek:see:`fa_file`).
const digest_salt = "Please change this value." &redef;
## Maximum string length allowed for calls to the :zeek:see:`find_all` and
## :zeek:see:`find_all_ordered` BIFs.
const max_find_all_string_length: int = 10000 &redef;
## How many rounds to go without checking IO sources with file descriptors
## for readiness by default. This is used when reading from traces.
##
## Very roughly, when reading from a pcap, setting this to 100 results in
## 100 packets being processed without checking FD based IO sources.
##
## .. note:: This should not be changed outside of development or when
## debugging problems with the main-loop, or developing features with
## tight main-loop interaction.
##
## .. zeek:see:: io_poll_interval_live
const io_poll_interval_default = 100 &redef;
## How often to check IO sources with file descriptors for readiness when
## monitoring with a live packet source.
##
## The poll interval gets defaulted to 100 which is good for cases like reading
## from pcap files and when there isn't a packet source, but is a little too
## infrequent for live sources (especially fast live sources). Set it down a
## little bit for those sources.
##
## .. note:: This should not be changed outside of development or when
## debugging problems with the main-loop, or developing features with
## tight main-loop interaction.
##
## .. zeek:see:: io_poll_interval_default
const io_poll_interval_live = 10 &redef;
## Whether Zeek is being run under test. This can be used to alter functionality
## while testing, but should be used sparingly.
const running_under_test: bool = F &redef;
## The amount of time before a connection created by the netbios analyzer times
## out and is removed.
const netbios_ssn_session_timeout: interval = 15 sec &redef;
module EventMetadata;
export {
## Enum type for metadata identifiers.
type ID: enum {
NETWORK_TIMESTAMP = 1,
};
## A event metadata entry.
type Entry: record {
id: EventMetadata::ID; ##< The registered :zeek:see:`EventMetadata::ID` value.
val: any; ##< The value. Its type matches what was passed to :zeek:see:`EventMetadata::register`.
};
## Add network timestamp metadata to all events.
##
## Adding network timestamp metadata affects local and
## remote events. Events scheduled have a network timestamp
## of when the scheduled timer was supposed to expire, which
## might be a value before the network_time() when the event
## was actually dispatched.
const add_network_timestamp: bool = F &redef;
## By default, remote events without network timestamp metadata
## will yield a negative zeek:see:`current_event_time` during
## processing. To have the receiving Zeek node set the event's
## network timestamp metadata with its current local network time,
## set this option to true.
##
## This setting is only in effect if :zeek:see:`EventMetadata::add_network_timestamp`
## is also set to true.
const add_missing_remote_network_timestamp: bool = F &redef;
}
module ConnKey;
export {
@ -659,24 +401,6 @@ export {
const factory = ConnKey::CONNKEY_FIVETUPLE &redef;
}
module FTP;
export {
## Limits the size of commands accepted by the FTP analyzer. Longer commands
## raise a FTP_max_command_length_exceeded weird and are discarded.
const max_command_length = 100 &redef;
}
module SMTP;
export {
## The maximum line length within a BDAT chunk before a forceful linebreak
## is introduced and a weird is raised. Conventionally, MIME messages
## have a maximum line length of 1000 octets when properly encoded.
const bdat_max_line_length = 4096 &redef;
}
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
module TCP;
export {
## A TCP Option field parsed from a TCP header.

9
scripts/zeekygen/__load__.zeek
View file

@ -1,17 +1,8 @@
@load test-all-policy.zeek
# Scripts which are commented out in test-all-policy.zeek.
<<<<<<< HEAD
=======
@load frameworks/analyzer/deprecated-dpd-log.zeek
@load frameworks/conn_key/vlan_fivetuple.zeek
# Remove in v8.1: replaced by frameworks/analyzer/detect-protocols.zeek
@pragma push ignore-deprecations
@load frameworks/dpd/detect-protocols.zeek
@pragma pop ignore-deprecations
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
@load protocols/ssl/decryption.zeek
@load frameworks/cluster/nodes-experimental/manager.zeek
@load frameworks/control/controllee.zeek

4
src/CMakeLists.txt
View file

@ -173,11 +173,7 @@ gen_zam_target(${GEN_ZAM_SRC_DIR})
option(USE_SQLITE "Should Zeek use SQLite?" ON)
add_subdirectory(analyzer)
<<<<<<< HEAD
=======
add_subdirectory(conn_key)
add_subdirectory(cluster)
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
add_subdirectory(packet_analysis)
add_subdirectory(broker)
add_subdirectory(telemetry)

8
src/Conn.cc
View file

@ -48,15 +48,15 @@ Connection::Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
/*
* awelzel: This is deprecated and a mess make work, so commented out.
*
Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt)
: Session(t, connection_timeout, connection_status_update, detail::connection_status_update_interval) {
orig_addr = id->src_addr;
resp_addr = id->dst_addr;
orig_port = id->src_port;
resp_port = id->dst_port;
<<<<<<< HEAD
proto = TRANSPORT_UNKNOWN;
=======
switch ( id->proto ) {
case IPPROTO_TCP: proto = TRANSPORT_TCP; break;
@ -72,6 +72,7 @@ Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id,
Init(flow, pkt);
}
*/
#pragma GCC diagnostic pop
Connection::~Connection() {
@ -89,7 +90,6 @@ Connection::~Connection() {
}
void Connection::Init(uint32_t flow, const Packet* pkt) {
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
orig_flow_label = flow;
resp_flow_label = 0;
saw_first_orig_packet = 1;

23
src/Conn.h
View file

@ -30,15 +30,9 @@ class RecordVal;
using ValPtr = IntrusivePtr<Val>;
using RecordValPtr = IntrusivePtr<RecordVal>;
<<<<<<< HEAD
namespace session {
class Manager;
}
=======
class IPBasedConnKey;
using IPBasedConnKeyPtr = std::unique_ptr<IPBasedConnKey>;
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
namespace detail {
class Specific_RE_Matcher;
@ -66,23 +60,14 @@ enum ConnEventToFlag {
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
struct ConnTuple {
<<<<<<< HEAD
IPAddr src_addr;
IPAddr dst_addr;
uint32_t src_port = 0;
uint32_t dst_port = 0;
bool is_one_way = false; // if true, don't canonicalize order
TransportProto proto = TRANSPORT_UNKNOWN;
=======
#pragma GCC diagnostic pop
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr src_addr;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr dst_addr;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t src_port = 0;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t dst_port = 0;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint16_t proto = UNKNOWN_IP_PROTO;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] TransportProto transport = TRANSPORT_UNKNOWN;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] bool is_one_way =
false; // if true, don't canonicalize order
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
};
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
@ -93,8 +78,10 @@ class Connection final : public session::Session {
public:
Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt);
[[deprecated("Remove in v8.1. Switch to ConnKey factories and the new zeek::ConnKey tree.")]]
Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt);
/* awelzel: Commented because it's a hard to make this work and it's deprecated anyhow.
[[deprecated("Remove in v8.1. Switch to ConnKey factories and the new zeek::ConnKey tree.")]] Connection(
const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt);
*/
~Connection() override;

2
src/ConnKey.h
View file

@ -67,7 +67,7 @@ protected:
*
* @param pkt The packet that's currently being processed.
*/
virtual void DoInit(const Packet& pkt) {};
virtual void DoInit(const Packet& pkt){};
/**
* Hook method for ConnKey::PopulateConnIdVal.

3
src/IP.h
View file

@ -32,6 +32,9 @@ namespace detail {
class FragReassembler;
}
// From Zeek 8.0 for proto support.
constexpr uint16_t UNKNOWN_IP_PROTO = 65535;
#ifndef IPPROTO_MOBILITY
#define IPPROTO_MOBILITY 135
#endif

2
src/IPAddr.cc
View file

@ -28,7 +28,7 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
ConnKey::ConnKey(const ConnTuple& id) {
Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way);
Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.transport, id.is_one_way);
}
ConnKey& ConnKey::operator=(const ConnKey& rhs) {

12
src/IPAddr.h
View file

@ -8,6 +8,7 @@
#include <memory>
#include <string>
#include "zeek/net_util.h"
#include "zeek/threading/SerialTypes.h"
using in4_addr = in_addr;
@ -29,22 +30,15 @@ public:
in6_addr ip2;
uint16_t port1 = 0;
uint16_t port2 = 0;
TransportProto transport = TRANSPORT_UNKNOWN;
TransportProto transport = TRANSPORT_UNKNOWN; // awelzel: In 8.0 this is proto. It's not used, so shrug.
bool valid = true;
<<<<<<< HEAD
ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t, bool one_way);
ConnKey(const ConnTuple& conn);
ConnKey(const ConnKey& rhs) { *this = rhs; }
ConnKey(Val* v);
=======
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const IPAddr& src, const IPAddr& dst,
uint16_t src_port, uint16_t dst_port,
uint16_t proto, bool one_way);
TransportProto t, bool one_way);
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const ConnTuple& conn);
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const ConnKey& rhs) { *this = rhs; }
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(Val* v);
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
bool operator<(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) < 0; }
bool operator<=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) <= 0; }

10
src/analyzer/Analyzer.cc
View file

@ -5,21 +5,13 @@
#include <binpac.h>
#include <algorithm>
<<<<<<< HEAD
=======
#include "zeek/3rdparty/doctest.h"
#include "zeek/Conn.h"
#include "zeek/Event.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
#include "zeek/3rdparty/doctest.h"
#include "zeek/Event.h"
#include "zeek/ZeekString.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
namespace zeek::analyzer {
class AnalyzerTimer final : public zeek::detail::Timer {

2
src/conn_key/Factory.h
View file

@ -2,7 +2,7 @@
#pragma once
#include "zeek/ConnKey.h"
#include "zeek/util-types.h"
#include "zeek/util.h"
namespace zeek {

7
src/packet_analysis/protocol/gtpv1/GTPv1.cc
View file

@ -22,18 +22,13 @@ bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
const auto& key = conn->Key();
auto sk = key.SessionKey();
<<<<<<< HEAD
auto cm_it = conn_map.find(conn_key);
if ( cm_it == conn_map.end() )
cm_it = conn_map.insert(cm_it, {conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)});
=======
auto cm_it = conn_map.find(sk);
if ( cm_it == conn_map.end() ) {
sk.CopyData(); // Copy key data to store in map.
auto [it, inserted] = conn_map.emplace(std::move(sk), std::make_unique<binpac::GTPv1::GTPv1_Conn>(this));
assert(inserted);
cm_it = it;
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
}
try {
cm_it->second->set_raw_packet(packet);

7
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -38,13 +38,6 @@ bool ICMPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet,
if ( ! CheckHeaderTrunc(ICMP_MINLEN, len, packet) )
return false;
<<<<<<< HEAD
tuple.src_addr = packet->ip_hdr->SrcAddr();
tuple.dst_addr = packet->ip_hdr->DstAddr();
tuple.proto = TRANSPORT_ICMP;
=======
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
const struct icmp* icmpp = (const struct icmp*)data;
uint32_t icmp_counter_type = 0;

5
src/packet_analysis/protocol/ip/CMakeLists.txt
View file

@ -1,5 +1,4 @@
zeek_add_plugin(
<<<<<<< HEAD
PacketAnalyzer
IP
SOURCES
@ -7,9 +6,5 @@ zeek_add_plugin(
IPBasedAnalyzer.cc
SessionAdapter.cc
Plugin.cc)
=======
PacketAnalyzer IP
SOURCES IP.cc IPBasedAnalyzer.cc SessionAdapter.cc Plugin.cc)
add_subdirectory(conn_key)
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')

4
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
View file

@ -118,8 +118,8 @@ protected:
/**
* Parse the header from the packet into a ConnTuple object.
*/
[[deprecated("Remove in v8.1. Switch to InitConnKey() and key-only initialization.")]]
virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
[[deprecated("Remove in v8.1. Switch to InitConnKey() and key-only initialization.")]] virtual bool BuildConnTuple(
size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
return false;
}

4
src/packet_analysis/protocol/ip/conn_key/fivetuple/CMakeLists.txt
View file

@ -1,3 +1 @@
zeek_add_plugin(
Zeek ConnKey_Fivetuple
SOURCES Factory.cc Plugin.cc)
zeek_add_plugin(Zeek ConnKey_Fivetuple SOURCES Factory.cc Plugin.cc)

2
src/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.cc
View file

@ -5,7 +5,7 @@
#include "zeek/IP.h"
#include "zeek/Val.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
#include "zeek/util-types.h"
#include "zeek/util.h"
namespace zeek::conn_key::fivetuple {

4
src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/CMakeLists.txt
View file

@ -1,3 +1 @@
zeek_add_plugin(
Zeek Conntuple_VLAN
SOURCES Factory.cc Plugin.cc)
zeek_add_plugin(Zeek Conntuple_VLAN SOURCES Factory.cc Plugin.cc)

2
src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.cc
View file

@ -9,7 +9,7 @@
#include "zeek/iosource/Packet.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
#include "zeek/util-types.h"
#include "zeek/util.h"
namespace zeek::conn_key::vlan_fivetuple {

13
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -33,21 +33,8 @@ bool TCPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, I
if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) )
return false;
<<<<<<< HEAD
tuple.src_addr = packet->ip_hdr->SrcAddr();
tuple.dst_addr = packet->ip_hdr->DstAddr();
data = packet->ip_hdr->Payload();
const struct tcphdr* tp = (const struct tcphdr*)data;
tuple.src_port = tp->th_sport;
tuple.dst_port = tp->th_dport;
tuple.is_one_way = false;
tuple.proto = TRANSPORT_TCP;
=======
const struct tcphdr* tp = (const struct tcphdr*)packet->ip_hdr->Payload();
key.InitTuple(packet->ip_hdr->SrcAddr(), tp->th_sport, packet->ip_hdr->DstAddr(), tp->th_dport, packet->proto);
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
return true;
}

11
src/packet_analysis/protocol/teredo/Teredo.cc
View file

@ -153,12 +153,8 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
return false;
}
// awelzel: This is the code in 7.0. Creepy.
conn = static_cast<Connection*>(packet->session);
zeek::detail::ConnKey conn_key = conn->Key();
OrigRespMap::iterator or_it = orig_resp_map.find(conn_key);
if ( or_it == orig_resp_map.end() )
or_it = orig_resp_map.insert(or_it, {conn_key, {}});
detail::TeredoEncapsulation te(this);
if ( ! te.Parse(data, len) ) {
@ -188,8 +184,6 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
return false;
}
<<<<<<< HEAD
=======
const auto& k = conn->Key();
auto sk = k.SessionKey();
OrigRespMap::iterator or_it = orig_resp_map.find(sk);
@ -204,10 +198,9 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
assert(inserted);
or_it = it;
packet->session->EnqueueEvent(new_teredo_state, nullptr, packet->session->GetVal());
// packet->session->EnqueueEvent(new_teredo_state, nullptr, packet->session->GetVal());
}
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
if ( packet->is_orig )
or_it->second.valid_orig = true;
else

7
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -60,14 +60,7 @@ bool UDPAnalyzer::InitConnKey(size_t len, const uint8_t* data, Packet* packet, I
return false;
const struct udphdr* up = (const struct udphdr*)packet->ip_hdr->Payload();
<<<<<<< HEAD
tuple.src_port = up->uh_sport;
tuple.dst_port = up->uh_dport;
tuple.is_one_way = false;
tuple.proto = TRANSPORT_UDP;
=======
key.InitTuple(packet->ip_hdr->SrcAddr(), up->uh_sport, packet->ip_hdr->DstAddr(), up->uh_dport, packet->proto);
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
return true;
}

13
src/plugin/Component.cc
View file

@ -39,21 +39,8 @@ void Component::Describe(ODesc* d) const {
case component::SESSION_ADAPTER: d->Add("Session Adapter"); break;
<<<<<<< HEAD
=======
case component::CLUSTER_BACKEND: d->Add("Cluster Backend"); break;
case component::EVENT_SERIALIZER: d->Add("Event Serializer"); break;
case component::LOG_SERIALIZER: d->Add("Log Serializer"); break;
case component::STORAGE_BACKEND: d->Add("Storage Backend"); break;
case component::STORAGE_SERIALIZER: d->Add("Storage Serializer"); break;
case component::CONNKEY: d->Add("ConnKey Factory"); break;
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
default:
reporter->InternalWarning("unknown component type in plugin::Component::Describe");
d->Add("<unknown component type>");

18
src/plugin/Component.h
View file

@ -20,7 +20,6 @@ namespace component {
/**
* Component types.
*/
<<<<<<< HEAD
enum Type {
READER, /// An input reader (not currently used).
WRITER, /// A logging writer (not currently used).
@ -31,24 +30,7 @@ enum Type {
PKTSRC, /// A packet source.
PKTDUMPER, /// A packet dumper.
SESSION_ADAPTER, /// A session adapter analyzer.
=======
enum Type : uint8_t {
READER, /// An input reader (not currently used).
WRITER, /// A logging writer (not currently used).
ANALYZER, /// A protocol analyzer.
PACKET_ANALYZER, /// A packet analyzer.
FILE_ANALYZER, /// A file analyzer.
IOSOURCE, /// An I/O source, excluding packet sources.
PKTSRC, /// A packet source.
PKTDUMPER, /// A packet dumper.
SESSION_ADAPTER, /// A session adapter analyzer.
CLUSTER_BACKEND, /// A cluster backend.
EVENT_SERIALIZER, /// A serializer for events, used by cluster backends.
LOG_SERIALIZER, /// A serializer for log batches, used by cluster backends.
STORAGE_BACKEND, /// A backend for the storage framework.
STORAGE_SERIALIZER, /// A serializer for the storage framework.
CONNKEY, /// A factory for connection keys.
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
};
} // namespace component

28
src/script_opt/ZAM/OPs/ZAM.op
View file

@ -2514,8 +2514,11 @@ type V
eval auto teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
if ( teredo )
{
zeek::detail::ConnKey conn_key(frame[z.v1].record_val);
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
auto r = zeek::conn_key_mgr->GetFactory().ConnKeyFromVal(*frame[z.v1].record_val);
if ( ! r.has_value() )
return zeek::val_mgr->False();
auto sk = r.value()->SessionKey();
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(sk);
}
internal-op Remove-Teredo
@ -2524,8 +2527,11 @@ type VV
eval auto teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
if ( teredo )
{
zeek::detail::ConnKey conn_key(frame[z.v2].record_val);
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
auto r = zeek::conn_key_mgr->GetFactory().ConnKeyFromVal(*frame[z.v2].record_val);
if ( ! r.has_value() )
return zeek::val_mgr->False();
auto sk = r.value()->SessionKey();
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(sk);
}
frame[z.v1].int_val = 1;
@ -2535,8 +2541,11 @@ type V
eval auto gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 )
{
zeek::detail::ConnKey conn_key(frame[z.v1].record_val);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
auto r = zeek::conn_key_mgr->GetFactory().ConnKeyFromVal(*frame[z.v1].record_val);
if ( ! r.has_value() )
return zeek::val_mgr->False();
auto sk = r.value()->SessionKey();
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(sk);
}
internal-op Remove-GTPv1
@ -2545,8 +2554,11 @@ type VV
eval auto gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 )
{
zeek::detail::ConnKey conn_key(frame[z.v2].record_val);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
auto r = zeek::conn_key_mgr->GetFactory().ConnKeyFromVal(*frame[z.v2].record_val);
if ( ! r.has_value() )
return zeek::val_mgr->False();
auto sk = r.value()->SessionKey();
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(sk);
}
frame[z.v1].int_val = 1;

1
src/script_opt/ZAM/ZBody.cc
View file

@ -10,6 +10,7 @@
#include "zeek/Reporter.h"
#include "zeek/Traverse.h"
#include "zeek/Trigger.h"
#include "zeek/conn_key/Manager.h"
#include "zeek/script_opt/ScriptOpt.h"
#include "zeek/script_opt/ZAM/Compile.h"
#include "zeek/session/Manager.h"

11
src/session/Manager.cc
View file

@ -18,12 +18,7 @@
#include "zeek/RunState.h"
#include "zeek/Timer.h"
#include "zeek/TunnelEncapsulation.h"
<<<<<<< HEAD
#include "zeek/analyzer/Manager.h"
#include "zeek/iosource/IOSource.h"
=======
#include "zeek/conn_key/Manager.h"
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
#include "zeek/packet_analysis/Manager.h"
#include "zeek/session/Session.h"
#include "zeek/telemetry/Manager.h"
@ -95,14 +90,10 @@ Connection* Manager::FindConnection(Val* v) {
// different builder.
auto r = conn_key_mgr->GetFactory().ConnKeyFromVal(*v);
<<<<<<< HEAD
if ( ! conn_key.valid )
=======
if ( ! r.has_value() ) {
// Produce a loud error for invalid script-layer conn_id records.
zeek::emit_builtin_error(r.error().c_str());
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
return nullptr;
}
return FindConnection(*r.value());
}

5
src/zeek-setup.cc
View file

@ -54,12 +54,7 @@
#include "zeek/analyzer/Manager.h"
#include "zeek/binpac_zeek.h"
#include "zeek/broker/Manager.h"
<<<<<<< HEAD
=======
#include "zeek/cluster/Backend.h"
#include "zeek/cluster/Manager.h"
#include "zeek/conn_key/Manager.h"
>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
#include "zeek/file_analysis/Manager.h"
#include "zeek/input.h"
#include "zeek/input/Manager.h"

12
testing/btest/Baseline/coverage.bare-mode-errors/errors
View file

@ -4,12 +4,12 @@ warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__lo
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/__load__.zeek, line 1: deprecated script loaded from command line arguments "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from command line arguments "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from command line arguments "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from command line arguments "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";

24
testing/btest/Baseline/coverage.test-all-policy-cluster/.stderr
View file

@ -1,21 +1,21 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
received termination signal
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
received termination signal
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
received termination signal
warning in <...>/__load__.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:2 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:147 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/extracted_file_limits.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:148 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/packet-fragments.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:149 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
warning in <...>/warnings.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:150 "Remove in v7.1 The policy<...>/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
received termination signal

24
testing/btest/Baseline/plugins.connkey/output
View file

@ -5,11 +5,31 @@ Demo::Foo - A Foo ConnKey factory (dynamic, version 1.0.0)
===
DoNewConnKey (0 key all_inits)
DoNewConnKey (1 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, proto=6, inits=0]
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, inits=0]
DoNewConnKey (2 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, proto=6, inits=0]
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, inits=0]
DoNewConnKey (6 key all_inits)
DoNewConnKey (22 key all_inits)
DoNewConnKey (40 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=37604/tcp, resp_h=199.233.217.249, resp_p=56666/tcp, inits=1]
DoNewConnKey (53 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=37604/tcp, resp_h=199.233.217.249, resp_p=56666/tcp, inits=1]
DoNewConnKey (53 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=59378/tcp, resp_h=199.233.217.249, resp_p=56667/tcp, inits=22]
DoNewConnKey (54 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=59378/tcp, resp_h=199.233.217.249, resp_p=56667/tcp, inits=22]
DoNewConnKey (54 key all_inits)
DoNewConnKey (60 key all_inits)
DoNewConnKey (78 key all_inits)
DoConnKeyFromVal for [orig_h=199.233.217.249, orig_p=61920/tcp, resp_h=141.142.220.235, resp_p=33582/tcp, inits=40]
DoNewConnKey (90 key all_inits)
DoConnKeyFromVal for [orig_h=199.233.217.249, orig_p=61920/tcp, resp_h=141.142.220.235, resp_p=33582/tcp, inits=40]
DoNewConnKey (90 key all_inits)
DoConnKeyFromVal for [orig_h=199.233.217.249, orig_p=61918/tcp, resp_h=141.142.220.235, resp_p=37835/tcp, inits=60]
DoNewConnKey (95 key all_inits)
DoConnKeyFromVal for [orig_h=199.233.217.249, orig_p=61918/tcp, resp_h=141.142.220.235, resp_p=37835/tcp, inits=60]
DoNewConnKey (95 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, inits=0]
DoNewConnKey (95 key all_inits)
DoConnKeyFromVal for [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp, inits=0]
DoNewConnKey (95 key all_inits)

4
testing/btest/plugins/connkey-plugin/CMakeLists.txt
View file

@ -10,6 +10,4 @@ set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake)
include(ZeekPlugin)
zeek_add_plugin(
Demo Foo
SOURCES src/Plugin.cc src/Foo.cc)
zeek_add_plugin(Demo Foo SOURCES src/Plugin.cc src/Foo.cc)