mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
signatures: Support custom event via [event_name] syntax
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
This commit is contained in:
Arne Welzel
parent
d11ac929af
commit
a7b077aa17
10 changed files with 202 additions and 10 deletions
35
NEWS
35
NEWS
|
|
@ -69,6 +69,41 @@ New Functionality
|
|||
Given this is the first iteration of this feature, feedback around usability and
|
||||
use-cases that aren't covered are more than welcome.
|
||||
|
||||
- The event keyword in signatures was extended to support choosing a custom event
|
||||
to raise instead of ``signature_match()``. This can be more efficient in certain
|
||||
scenarios compared to funneling every match through a single event.
|
||||
|
||||
The new syntax is to put the name of the event in brackets before the string
|
||||
or identifier used as message. As an extension, it is possible to only provide
|
||||
the bracketed event name. In this case, the framework expects the event's
|
||||
parameters to consist of only state and data as follows:
|
||||
|
||||
signature only-event {
|
||||
payload /.*root/
|
||||
event [found_root]
|
||||
}
|
||||
|
||||
event found_root(state: signature_state, data: string) { }
|
||||
|
||||
Passing an additional message parameter to a custom event is possible with the
|
||||
following syntax. The custom event's parameters need to align with those for the
|
||||
``signature_match()` event:
|
||||
|
||||
signature event-with-msg {
|
||||
payload /.*root/
|
||||
event [found_root_with_msg] "the-message"
|
||||
}
|
||||
|
||||
event found_root_with_msg(state: signature_state, msg: string, data: string) { }
|
||||
|
||||
The message can also be specified as a Zeek side identifier, in which case
|
||||
its initial value will be passed to the custom events. This is identical
|
||||
to the behavior with the default ``signature_match()`` event.
|
||||
|
||||
Note that matches for signatures with custom events will not be recorded in
|
||||
``signatures.log``. This log is based on the generation of ``signature_match()``
|
||||
events.
|
||||
|
||||
|
||||
Changed Functionality
|
||||
---------------------
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue