IPBasedAnalyzer: Ensure a connection's ConnVal is updated

One idea for the issue that a connection record's endpoint fields may be stale when events are raised before the ConnSize analyzer saw the packet and no analyzer calls GetVal() for the connection afterwards. While this looks a bit ad hoc, I'm leaning towards a follow-up, extending GetVal(skip_update_connval=false) API and then updating BinPAC/Spicy to generate code that passes ``false``. That could avoid a number of unnecessary UpateConnVal() invocations when calling GetVal() multiple times for the same connection and instead just do it once when the packet has been processed. Closes #4214
2025-10-10 02:28:21 +00:00 · 2025-08-22 14:05:44 +02:00 · 2025-08-22 14:05:44 +02:00 · be061bfe04
commit be061bfe04
parent 3e89e6b328
4 changed files with 98 additions and 0 deletions
--- a/testing/btest/Baseline/core.conn-size-endpoint-update/out
+++ b/testing/btest/Baseline/core.conn-size-endpoint-update/out
@ -0,0 +1,37 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+==== zeek_init, syn.pcap
+new_connection, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
+  orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_state_remove, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+==== zeek_init, synack.pcap
+new_connection, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
+  orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+connection_state_remove, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+==== zeek_init, get.trace
+new_connection, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
+  orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_SYN_packet, CHhAvVGS1DHFjwGM9, resp
+  orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_established, CHhAvVGS1DHFjwGM9
+  orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
+connection_state_remove, CHhAvVGS1DHFjwGM9
+  orig, [size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
+  resp, [size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef]
--- a/testing/btest/Traces/tcp/synack.pcap
+++ b/testing/btest/Traces/tcp/synack.pcap
--- a/testing/btest/core/conn-size-endpoint-update.zeek
+++ b/testing/btest/core/conn-size-endpoint-update.zeek
@ -0,0 +1,41 @@
+# @TEST-DOC: Ensure that a connection's orig and resp records have up-to-date data
+
+
+# @TEST-EXEC: zeek -b -r $TRACES/tcp/syn.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -r $TRACES/tcp/synack.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >> out
+#
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	print "==== zeek_init", split_string(packet_source()$path, /\//)[-1];
+	}
+
+event new_connection(c: connection)
+	{
+	print "new_connection", c$uid;
+	print "  orig", c$orig;
+	print "  resp", c$resp;
+	}
+
+event connection_SYN_packet(c: connection, pkt: SYN_packet)
+	{
+	print "connection_SYN_packet", c$uid, pkt$is_orig ? "orig" : "resp";
+	print "  orig", c$orig;
+	print "  resp", c$resp;
+	}
+
+event connection_established(c: connection)
+	{
+	print "connection_established", c$uid;
+	print "  orig", c$orig;
+	print "  resp", c$resp;
+	}
+
+event connection_state_remove(c: connection)
+	{
+	print "connection_state_remove", c$uid;
+	print "  orig", c$orig;
+	print "  resp", c$resp;
+	}