Merge branch 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek

* 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek:
  Improve dpd_late_match event generation.
  Improve logging of speculative service.
  Update test-all-policy script.
  Add speculative service script.
  Allow to handle late DPD matches.

scripts/base/init-bare.zeek

@@ -4684,6 +4684,18 @@ const dpd_buffer_size = 1024 &redef;
 ##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;
 
+## If true, stops signature matching after a late match. A late match may occur
+## in case the DPD buffer is exhausted but a protocol signature matched. To
+## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning
+##
+## .. note:: Despite the name, this option stops *all* signature matching, not
+##    only signatures used for dynamic protocol detection but is triggered by
+##    DPD signatures only.
+const dpd_late_match_stop = F &redef;
+
 ## If true, don't consider any ports for deciding which protocol analyzer to
 ## use.
 ##

scripts/policy/protocols/conn/speculative-service.zeek

@@ -0,0 +1,36 @@
+##! This script adds information about matched DPD signatures to the connection
+##! log.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## Protocol that was determined by a matching signature after the beginning
+	## of a connection. In this situation no analyzer can be attached and hence
+	## the data cannot be analyzed nor the protocol can be confirmed.
+	speculative_service: string &log &optional;
+};
+
+redef record connection += {
+	speculative_service: set[string] &default=string_set();
+};
+
+redef dpd_match_only_beginning = F;
+redef dpd_late_match_stop = T;
+
+event protocol_late_match(c: connection, atype: Analyzer::Tag)
+	{
+	local analyzer = Analyzer::name(atype);
+	add c$speculative_service[analyzer];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local sp_service = "";
+	for ( s in c$speculative_service )
+		sp_service = sp_service == "" ? s : cat(sp_service, ",", s);
+
+	if ( sp_service != "" )
+		c$conn$speculative_service = to_lower(sp_service);
+	}

scripts/test-all-policy.zeek

@@ -67,6 +67,7 @@
 @load protocols/conn/mac-logging.zeek
 @load protocols/conn/vlan-logging.zeek
 @load protocols/conn/weirds.zeek
+#@load protocols/conn/speculative-service.zeek
 @load protocols/dhcp/msg-orig.zeek
 @load protocols/dhcp/software.zeek
 @load protocols/dhcp/sub-opts.zeek

scripts/zeekygen/__load__.zeek

@@ -6,6 +6,7 @@
 @load frameworks/control/controller.zeek
 @load frameworks/files/extract-all-files.zeek
 @load policy/misc/dump-events.zeek
+@load policy/protocols/conn/speculative-service.zeek
 
 @load ./example.zeek