mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'jgras/topic/jgras/log-disable-analyzer'
* jgras/topic/jgras/log-disable-analyzer: Extend btest for logging of disabled analyzers Add logging of disabled analyzers to analyzer.log
This commit is contained in:
Arne Welzel
commit
a9c4daaa22
9 changed files with 92 additions and 9 deletions
6
CHANGES
6
CHANGES
|
|
@ -1,3 +1,9 @@
|
||||||
|
7.0.0-dev.461 | 2024-07-10 18:45:36 +0200
|
||||||
|
|
||||||
|
* Extend btest for logging of disabled analyzers (Jan Grashoefer, Corelight)
|
||||||
|
|
||||||
|
* Add logging of disabled analyzers to analyzer.log (Jan Grashoefer, Corelight)
|
||||||
|
|
||||||
7.0.0-dev.458 | 2024-07-10 11:05:19 +0200
|
7.0.0-dev.458 | 2024-07-10 11:05:19 +0200
|
||||||
|
|
||||||
* testing/btest: Default to HILTI_JIT_PARALLELISM=1 (Arne Welzel, Corelight)
|
* testing/btest: Default to HILTI_JIT_PARALLELISM=1 (Arne Welzel, Corelight)
|
||||||
|
|
|
||||||
3
NEWS
3
NEWS
|
|
@ -112,6 +112,9 @@ New Functionality
|
||||||
the object-based representation of ports that ``to_json()`` generates for that
|
the object-based representation of ports that ``to_json()`` generates for that
|
||||||
Zeek type.
|
Zeek type.
|
||||||
|
|
||||||
|
- The ``analyzer.log`` now optionally supports logging of disabled analyzers
|
||||||
|
through the new option ``Analyzer::logging::include_disabling``.
|
||||||
|
|
||||||
Changed Functionality
|
Changed Functionality
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
7.0.0-dev.458
|
7.0.0-dev.461
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,12 @@ export {
|
||||||
## service field.
|
## service field.
|
||||||
option include_confirmations = F;
|
option include_confirmations = F;
|
||||||
|
|
||||||
|
## Enable tracking of analyzers getting disabled. This is mostly
|
||||||
|
## interesting for troubleshooting of analyzers in DPD scenarios.
|
||||||
|
## Setting this option may also generated multiple log entries per
|
||||||
|
## connection.
|
||||||
|
option include_disabling = F;
|
||||||
|
|
||||||
## If a violation contains information about the data causing it,
|
## If a violation contains information about the data causing it,
|
||||||
## include at most this many bytes of it in the log.
|
## include at most this many bytes of it in the log.
|
||||||
option failure_data_max_size = 40;
|
option failure_data_max_size = 40;
|
||||||
|
|
@ -88,11 +94,24 @@ event zeek_init() &priority=5
|
||||||
Option::set_change_handler("Analyzer::Logging::include_confirmations",
|
Option::set_change_handler("Analyzer::Logging::include_confirmations",
|
||||||
include_confirmations_handler);
|
include_confirmations_handler);
|
||||||
|
|
||||||
|
local include_disabling_handler = function(id: string, new_value: bool): bool {
|
||||||
|
if ( new_value )
|
||||||
|
enable_event_group("Analyzer::Logging::include_disabling");
|
||||||
|
else
|
||||||
|
disable_event_group("Analyzer::Logging::include_disabling");
|
||||||
|
|
||||||
|
return new_value;
|
||||||
|
};
|
||||||
|
Option::set_change_handler("Analyzer::Logging::include_disabling",
|
||||||
|
include_disabling_handler);
|
||||||
|
|
||||||
# Call the handlers directly with the current values to avoid config
|
# Call the handlers directly with the current values to avoid config
|
||||||
# framework interactions like creating entries in config.log.
|
# framework interactions like creating entries in config.log.
|
||||||
enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
|
enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
|
||||||
include_confirmations_handler("Analyzer::Logging::include_confirmations",
|
include_confirmations_handler("Analyzer::Logging::include_confirmations",
|
||||||
Analyzer::Logging::include_confirmations);
|
Analyzer::Logging::include_confirmations);
|
||||||
|
include_disabling_handler("Analyzer::Logging::include_disabling",
|
||||||
|
Analyzer::Logging::include_disabling);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -119,7 +138,7 @@ function populate_from_file(rec: Info, f: fa_file)
|
||||||
{
|
{
|
||||||
rec$fuid = f$id;
|
rec$fuid = f$id;
|
||||||
# If the confirmation didn't have a connection, but the
|
# If the confirmation didn't have a connection, but the
|
||||||
# fa_file object has has exactly one, use it.
|
# fa_file object has exactly one, use it.
|
||||||
if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
|
if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
|
||||||
{
|
{
|
||||||
for ( _, c in f$conns )
|
for ( _, c in f$conns )
|
||||||
|
|
@ -151,7 +170,7 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
|
||||||
Log::write(LOG, rec);
|
Log::write(LOG, rec);
|
||||||
}
|
}
|
||||||
|
|
||||||
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=6
|
||||||
{
|
{
|
||||||
if ( atype in ignore_analyzers )
|
if ( atype in ignore_analyzers )
|
||||||
return;
|
return;
|
||||||
|
|
@ -180,3 +199,25 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
|
||||||
|
|
||||||
Log::write(LOG, rec);
|
Log::write(LOG, rec);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000 &group="Analyzer::Logging::include_disabling"
|
||||||
|
{
|
||||||
|
if ( atype in ignore_analyzers )
|
||||||
|
return;
|
||||||
|
|
||||||
|
local rec = Info(
|
||||||
|
$ts=network_time(),
|
||||||
|
$cause="disabled",
|
||||||
|
$analyzer_kind=analyzer_kind(atype),
|
||||||
|
$analyzer_name=Analyzer::name(atype),
|
||||||
|
);
|
||||||
|
|
||||||
|
populate_from_conn(rec, c);
|
||||||
|
|
||||||
|
if ( c?$dpd_state && aid in c$dpd_state$violations )
|
||||||
|
{
|
||||||
|
rec$failure_data = fmt("Disabled after %d violations", c$dpd_state$violations[aid]);
|
||||||
|
}
|
||||||
|
|
||||||
|
Log::write(LOG, rec);
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -108,6 +108,8 @@
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
|
||||||
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
|
||||||
|
|
@ -302,6 +304,7 @@
|
||||||
0.000000 MetaHookPost CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
|
0.000000 MetaHookPost CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
|
0.000000 MetaHookPost CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations)) -> <no result>
|
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations)) -> <no result>
|
||||||
|
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_disabling)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(enable_module_events, <frame>, (Analyzer::Logging)) -> <no result>
|
0.000000 MetaHookPost CallFunction(enable_module_events, <frame>, (Analyzer::Logging)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
|
0.000000 MetaHookPost CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
|
0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
|
||||||
|
|
@ -313,6 +316,7 @@
|
||||||
0.000000 MetaHookPost CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
|
0.000000 MetaHookPost CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F)) -> <no result>
|
0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T)) -> <no result>
|
0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T)) -> <no result>
|
||||||
|
0.000000 MetaHookPost CallFunction(lambda_<3084630089048204467>, <frame>, (Analyzer::Logging::include_disabling, F)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
|
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
|
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
|
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
|
||||||
|
|
@ -1024,6 +1028,8 @@
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0))
|
||||||
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0))
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
|
||||||
|
|
@ -1218,6 +1224,7 @@
|
||||||
0.000000 MetaHookPre CallFunction(__init_primary_bifs, <null>, ())
|
0.000000 MetaHookPre CallFunction(__init_primary_bifs, <null>, ())
|
||||||
0.000000 MetaHookPre CallFunction(__init_secondary_bifs, <null>, ())
|
0.000000 MetaHookPre CallFunction(__init_secondary_bifs, <null>, ())
|
||||||
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations))
|
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations))
|
||||||
|
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_disabling))
|
||||||
0.000000 MetaHookPre CallFunction(enable_module_events, <frame>, (Analyzer::Logging))
|
0.000000 MetaHookPre CallFunction(enable_module_events, <frame>, (Analyzer::Logging))
|
||||||
0.000000 MetaHookPre CallFunction(getenv, <null>, (CLUSTER_NODE))
|
0.000000 MetaHookPre CallFunction(getenv, <null>, (CLUSTER_NODE))
|
||||||
0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
|
0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
|
||||||
|
|
@ -1229,6 +1236,7 @@
|
||||||
0.000000 MetaHookPre CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
|
0.000000 MetaHookPre CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
|
||||||
0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F))
|
0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F))
|
||||||
0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T))
|
0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T))
|
||||||
|
0.000000 MetaHookPre CallFunction(lambda_<3084630089048204467>, <frame>, (Analyzer::Logging::include_disabling, F))
|
||||||
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2123/udp))
|
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2123/udp))
|
||||||
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2152/udp))
|
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2152/udp))
|
||||||
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (3544/udp))
|
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (3544/udp))
|
||||||
|
|
@ -1939,6 +1947,8 @@
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)
|
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)
|
||||||
|
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
|
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
0.000000 | HookCallFunction Option::set_change_handler(Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
0.000000 | HookCallFunction Option::set_change_handler(Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
0.000000 | HookCallFunction Option::set_change_handler(Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
0.000000 | HookCallFunction Option::set_change_handler(Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
|
||||||
|
|
@ -2133,6 +2143,7 @@
|
||||||
0.000000 | HookCallFunction __init_primary_bifs()
|
0.000000 | HookCallFunction __init_primary_bifs()
|
||||||
0.000000 | HookCallFunction __init_secondary_bifs()
|
0.000000 | HookCallFunction __init_secondary_bifs()
|
||||||
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
|
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
|
||||||
|
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_disabling)
|
||||||
0.000000 | HookCallFunction enable_module_events(Analyzer::Logging)
|
0.000000 | HookCallFunction enable_module_events(Analyzer::Logging)
|
||||||
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
|
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
|
||||||
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
|
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
|
||||||
|
|
@ -2144,6 +2155,7 @@
|
||||||
0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
|
0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
|
||||||
0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F)
|
0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F)
|
||||||
0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T)
|
0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T)
|
||||||
|
0.000000 | HookCallFunction lambda_<3084630089048204467>(Analyzer::Logging::include_disabling, F)
|
||||||
0.000000 | HookCallFunction port_to_count(2123/udp)
|
0.000000 | HookCallFunction port_to_count(2123/udp)
|
||||||
0.000000 | HookCallFunction port_to_count(2152/udp)
|
0.000000 | HookCallFunction port_to_count(2152/udp)
|
||||||
0.000000 | HookCallFunction port_to_count(3544/udp)
|
0.000000 | HookCallFunction port_to_count(3544/udp)
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -15,6 +15,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
|
||||||
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,17 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path analyzer
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
|
||||||
|
#types time string string string string string addr port addr port string string
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31 -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
|
||||||
|
XXXXXXXXXX.XXXXXX disabled protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 - Disabled after 6 violations
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -1,11 +1,19 @@
|
||||||
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
|
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
|
||||||
# @TEST-EXEC: mv analyzer.log analyzer.log-no-confirmations
|
# @TEST-EXEC: mv analyzer.log analyzer.log-default
|
||||||
# @TEST-EXEC: btest-diff analyzer.log-no-confirmations
|
# @TEST-EXEC: btest-diff analyzer.log-default
|
||||||
|
|
||||||
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
|
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
|
||||||
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
|
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
|
||||||
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
|
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
|
||||||
|
|
||||||
|
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_disabling=T
|
||||||
|
# @TEST-EXEC: mv analyzer.log analyzer.log-include-disabling
|
||||||
|
# @TEST-EXEC: btest-diff analyzer.log-include-disabling
|
||||||
|
|
||||||
@load base/protocols/conn
|
@load base/protocols/conn
|
||||||
@load base/protocols/dns
|
@load base/protocols/dns
|
||||||
@load base/protocols/socks
|
@load base/protocols/socks
|
||||||
|
|
||||||
|
# DCE RPC violations are ignored by default. Consider violations for this
|
||||||
|
# test so that the analyzer will be disabled eventually.
|
||||||
|
redef DPD::ignore_violations -= { Analyzer::ANALYZER_DCE_RPC };
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue