Merge branch 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek

* 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek: Improve dpd_late_match event generation. Improve logging of speculative service. Update test-all-policy script. Add speculative service script. Allow to handle late DPD matches.
2025-10-05 08:08:19 +00:00 · 2019-09-17 11:16:47 -07:00 · 2019-09-17 11:16:47 -07:00 · aeef4bf030
commit aeef4bf030
parent 6f9d1ec72d b216e9cbc9
16 changed files with 186 additions and 2 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -4684,6 +4684,18 @@ const dpd_buffer_size = 1024 &redef;
 ##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;

+## If true, stops signature matching after a late match. A late match may occur
+## in case the DPD buffer is exhausted but a protocol signature matched. To
+## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning
+##
+## .. note:: Despite the name, this option stops *all* signature matching, not
+##    only signatures used for dynamic protocol detection but is triggered by
+##    DPD signatures only.
+const dpd_late_match_stop = F &redef;
+
 ## If true, don't consider any ports for deciding which protocol analyzer to
 ## use.
 ##