Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Introduce global disabling_analyzer() hook to veto disable_analyzer()

Browse source 
This hook can be used to coordinate disabling an analyzer for a given
connection. The contract is simple: Any script can veto a disable_analyzer()
call by breaking from this hook. The decision is local to the script taking
into account any state attached to the connection object or script specific
state stored elsewhere.
A script breaking from the hook takes over the responsibility to call
disable_analyzer() at a later point when it finds the condition due to which
it vetoed fulfilled (which may be never).

Signature:

    disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);

Example use-cases are keeping the SSL analyzer enabled for finger-printing
until a certain amount of bytes or packets have been transferred or
similarly the connection duration exceed a certain threshold.

Other example use-cases might be keeping analyzers for SSH, RDP or SSL
enabled for connections from specific subnets.

It's a bit quirky as it makes disable_analyzer() a maybe operation. While log
policy hooks and/or the notice hook have similar semantics, they are not as
stateful. It still seems like a quite powerful primitive.

The disable_analyzer() call in dpd/main.zeek may motivate the addition of a
force flag as a follow-up for situations where the caller "knows better" or
absolutely wants to override.

Closes #1678 #1593.
This commit is contained in:
Arne Welzel 2022-08-09 15:57:59 +02:00
parent 02985b9966
commit abb7f9a509
6 changed files with 149 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/init-bare.zeek
View file

@ -584,6 +584,22 @@ type fa_metadata: record {
inferred: bool &default=T;
};
## A hook taking a connection, analyzer tag and analyzer id that can be
## used to veto disabling analyzers. This hook is invoked synchronously
## during a :zeek:see:`disable_analyzer` call.
##
## Scripts implementing this hook should have other logic that will eventually
## disable the analyzer for the given connection. That is, if a script vetoes
## disabling an analyzer, it takes responsibility for a later call to
## :zeek:see:`disable_analyzer`, which may be never.
##
## c: The connection
##
## atype: The type / tag of the analyzer being disabled.
##
## aid: The analyzer ID.
type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);
## Fields of a SYN packet.
##
## .. zeek:see:: connection_SYN_packet