Introduce generic analyzer_confirmation_info and analyzer_violation_info

Introduce two new events for analyzer confirmation and analyzer violation reporting. The current analyzer_confirmation and analyzer_violation events assume connection objects and analyzer ids are available which is not always the case. We're already passing aid=0 for packet analyzers and there's not currently a way to report violations from file analyzers using analyzer_violation, for example. These new events use an extensible Info record approach so that additional (optional) information can be added later without changing the signature. It would allow for per analyzer extensions to the info records to pass analyzer specific info to script land. It's not clear that this would be a good idea, however. The previous analyzer_confirmation and analyzer_violation events continue to exist, but are deprecated and will be removed with Zeek 6.1.
2025-10-02 14:48:21 +00:00 · 2022-09-27 15:11:01 +02:00 · 2022-09-27 15:11:01 +02:00 · bc8fd5a4c6
commit bc8fd5a4c6
parent 2e58d6a1a9
24 changed files with 456 additions and 77 deletions
--- a/scripts/policy/frameworks/dpd/detect-protocols.zeek
+++ b/scripts/policy/frameworks/dpd/detect-protocols.zeek
@ -198,8 +198,13 @@ hook finalize_protocol_detection(c: connection)
 	report_protocols(c);
 	}

-event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
 	{
+	if ( ! is_protocol_analyzer(atype) )
+		return;
+
+	local c = info$c;
+
 	# Don't report anything running on a well-known port.
 	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
 		return;