mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Analyzer failure logging: tweaks and test fixes
The main part of this commit are changes in tests. A lot of the tests that previously relied on analyzer.log or dpd.log now use the new analyzer-failed.log. I verified all the changes and, as far as I can tell, everything behaves as it should. This includes the external test baselines. This change also enables logging of file and packet analyzer to analyzer_failed.log and fixes some small behavior issues. The analyzer_failed event is no longer raised when the removal of an analyzer is vetoed. If an analyzer is no longer active when an analyzer violation is raised, currently the analyzer_failed event is raised. This can, e.g., happen when an analyzer error happens at the very end of the connection. This makes the behavior more similar to what happened in the past, and also intuitively seems to make sense. A bug introduced in the failed service logging was fixed.
This commit is contained in:
Johanna Amann
parent
8c814fa88c
commit
af77a7a83b
143 changed files with 4523 additions and 4329 deletions
|
|
@ -1,4 +1,4 @@
|
|||
##! Logging analyzer violations into analyzer-failed.log
|
||||
##! Logging analyzer violations into analyzer_failed.log
|
||||
|
||||
@load base/frameworks/logging
|
||||
@load ./main
|
||||
|
|
@ -25,10 +25,8 @@ export {
|
|||
fuid: string &log &optional;
|
||||
## Connection identifier if available
|
||||
id: conn_id &log &optional;
|
||||
|
||||
## Failure or violation reason, if available.
|
||||
failure_reason: string &log;
|
||||
|
||||
## Data causing failure or violation if available. Truncated
|
||||
## to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
|
||||
failure_data: string &log &optional;
|
||||
|
|
@ -48,10 +46,10 @@ export {
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $path="analyzer-failed", $ev=log_analyzer_failed, $policy=log_policy]);
|
||||
Log::create_stream(LOG, [$columns=Info, $path="analyzer_failed", $ev=log_analyzer_failed, $policy=log_policy]);
|
||||
}
|
||||
|
||||
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
||||
function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
||||
{
|
||||
local rec = Info(
|
||||
$ts=ts,
|
||||
|
|
@ -82,7 +80,39 @@ event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolatio
|
|||
}
|
||||
|
||||
if ( info?$data )
|
||||
rec$failure_data = info$data;
|
||||
{
|
||||
if ( failure_data_max_size > 0 )
|
||||
rec$failure_data = info$data[0:failure_data_max_size];
|
||||
else
|
||||
rec$failure_data = info$data;
|
||||
}
|
||||
|
||||
Log::write(LOG, rec);
|
||||
}
|
||||
|
||||
# event currently is only raised for protocol analyzers; we do not fail packet and file analyzers
|
||||
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
||||
{
|
||||
if ( ! is_protocol_analyzer(atype) )
|
||||
return;
|
||||
|
||||
if ( ! info?$c )
|
||||
return;
|
||||
|
||||
# log only for previously confirmed service that did not already log violation
|
||||
local analyzer_name = Analyzer::name(atype);
|
||||
if ( analyzer_name !in info$c$service || analyzer_name in info$c$service_violation )
|
||||
return;
|
||||
|
||||
log_analyzer_failure(ts, atype, info);
|
||||
}
|
||||
|
||||
# log packet and file analyzers here separately
|
||||
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo )
|
||||
{
|
||||
if ( is_protocol_analyzer(atype) )
|
||||
return;
|
||||
|
||||
log_analyzer_failure(network_time(), atype, info);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ redef record connection += {
|
|||
service_violation: set[string] &default=set() &ordered;
|
||||
};
|
||||
|
||||
## add confirmed protocol analyzers to conn.log service field
|
||||
# Add confirmed protocol analyzers to conn.log service field
|
||||
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
|
||||
{
|
||||
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
|
||||
|
|
@ -44,10 +44,11 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
|
|||
add c$service[analyzer];
|
||||
}
|
||||
|
||||
## Remove failed analyzers from service field and add them to c$service_violation
|
||||
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
||||
# Remove failed analyzers from service field and add them to c$service_violation
|
||||
# Low priority to allow other handlers to check if the analyzer was confirmed
|
||||
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=-5
|
||||
{
|
||||
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
|
||||
if ( ! is_protocol_analyzer(atype) )
|
||||
return;
|
||||
|
||||
if ( ! info?$c )
|
||||
|
|
@ -80,7 +81,7 @@ event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolatio
|
|||
|
||||
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=5
|
||||
{
|
||||
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
|
||||
if ( ! is_protocol_analyzer(atype) )
|
||||
return;
|
||||
|
||||
if ( ! info?$c || ! info?$aid )
|
||||
|
|
@ -95,9 +96,18 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
|
|||
if ( ignore_violations_after > 0 && size > ignore_violations_after )
|
||||
return;
|
||||
|
||||
# analyzer already was removed or connection finished
|
||||
# let's still log this.
|
||||
if ( lookup_connection_analyzer_id(c$id, atype) == 0 )
|
||||
{
|
||||
event analyzer_failed(network_time(), atype, info);
|
||||
return;
|
||||
}
|
||||
|
||||
local disabled = disable_analyzer(c$id, aid, F);
|
||||
|
||||
# If no one objected to the removal, send failed event
|
||||
event analyzer_failed(network_time(), atype, info);
|
||||
# If analyzer was disabled, send failed event
|
||||
if ( disabled )
|
||||
event analyzer_failed(network_time(), atype, info);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -172,6 +172,23 @@ export {
|
|||
##
|
||||
## This set can be added to via :zeek:see:`redef`.
|
||||
global requested_analyzers: set[AllAnalyzers::Tag] = {} &redef;
|
||||
|
||||
## Event that is raised when an analyzer raised a service violation and was
|
||||
## removed.
|
||||
##
|
||||
## The event is also raised if the analyzer already was no longer active by
|
||||
## the time that the violation was handled - so if it happens at the very
|
||||
## end of a connection.
|
||||
##
|
||||
## Currently this event is only raised for protocol analyzers, as packet
|
||||
## and file analyzers are never actively removed/disabled.
|
||||
##
|
||||
## ts: time at which the violation occurred
|
||||
##
|
||||
## atype: atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
|
||||
##
|
||||
##info: Details about the violation. This record should include a :zeek:type:`connection`
|
||||
global analyzer_failed: event(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo);
|
||||
}
|
||||
|
||||
@load base/bif/analyzer.bif
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue