mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 21:18:20 +00:00
Introduce generic analyzer_confirmation_info and analyzer_violation_info
Introduce two new events for analyzer confirmation and analyzer violation reporting. The current analyzer_confirmation and analyzer_violation events assume connection objects and analyzer ids are available which is not always the case. We're already passing aid=0 for packet analyzers and there's not currently a way to report violations from file analyzers using analyzer_violation, for example. These new events use an extensible Info record approach so that additional (optional) information can be added later without changing the signature. It would allow for per analyzer extensions to the info records to pass analyzer specific info to script land. It's not clear that this would be a good idea, however. The previous analyzer_confirmation and analyzer_violation events continue to exist, but are deprecated and will be removed with Zeek 6.1.
This commit is contained in:
Arne Welzel
parent
2e58d6a1a9
commit
bc8fd5a4c6
24 changed files with 456 additions and 77 deletions
|
|
@ -2268,6 +2268,51 @@ const RPC_status = {
|
|||
[RPC_UNKNOWN_ERROR] = "unknown"
|
||||
};
|
||||
|
||||
## Generic analyzer confirmation info record.
|
||||
##
|
||||
## .. zeek:see:: analyzer_confirmation_info
|
||||
type AnalyzerConfirmationInfo: record {
|
||||
## The connection related to this confirmation, if any.
|
||||
## This field may be set if there's any connection related information
|
||||
## available for this confirmation. For protocol analyzers it is guaranteed
|
||||
## to be set, but may also be added by file analyzers as additional
|
||||
## contextual information.
|
||||
c: connection &optional;
|
||||
|
||||
## The file object related to this confirmation, if any.
|
||||
f: fa_file &optional;
|
||||
|
||||
## Specific analyzer instance that can be used to reference the analyzer
|
||||
## when using builtin functions like :zeek:id:`disable_analyzer`.
|
||||
aid: count &optional;
|
||||
};
|
||||
|
||||
## Generic analyzer violation info record.
|
||||
##
|
||||
## .. zeek:see:: analyzer_violation_info
|
||||
type AnalyzerViolationInfo: record {
|
||||
## The reason for the violation - should be user readable.
|
||||
reason: string;
|
||||
|
||||
## The connection related to this violation, if any.
|
||||
## This field may be set if there's any connection related information
|
||||
## available for this violation. For protocol analyzers it is guaranteed
|
||||
## to be set, but may also be added by file analyzers as additional
|
||||
## contextual information.
|
||||
c: connection &optional;
|
||||
|
||||
## The file object related to this violation, if any.
|
||||
f: fa_file &optional;
|
||||
|
||||
## Specific analyzer instance that can be used to reference the analyzer
|
||||
## when using builtin functions like :zeek:id:`disable_analyzer`.
|
||||
aid: count &optional;
|
||||
|
||||
## Piece of binary data that was parsed and caused the violation.
|
||||
data: string &optional;
|
||||
};
|
||||
|
||||
|
||||
module NFS3;
|
||||
|
||||
export {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue