Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Very small updates to the tunnels framework.

Browse source 
- Make the uid field optional since it's conceptually incorrect
  for proxies being treated as tunnels to have it.

- Reordered two fields in the log.

- Reduced the default tunnel expiration interface to something more
  reasonable (1 hour).
This commit is contained in:
Seth Hall 2012-06-20 13:56:42 -04:00
parent 83f385b2b0
commit c30c0d5ff2
2 changed files with 11 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/frameworks/tunnels/main.bro
View file

@ -28,17 +28,20 @@ export {
ts: time &log; ts: time &log;
## The unique identifier for the tunnel, which may correspond ## The unique identifier for the tunnel, which may correspond
## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels. ## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
uid: string &log; ## This is optional because there could be numerous connections
## for payload proxies like SOCKS but we should treat it as a single
## tunnel.
uid: string &log &optional;
## The tunnel "connection" 4-tuple of endpoint addresses/ports. ## The tunnel "connection" 4-tuple of endpoint addresses/ports.
## For an IP tunnel, the ports will be 0. ## For an IP tunnel, the ports will be 0.
id: conn_id &log; id: conn_id &log;
## The type of activity that occurred.
action: Action &log;
## The type of tunnel. ## The type of tunnel.
tunnel_type: Tunnel::Type &log; tunnel_type: Tunnel::Type &log;
## The type of activity that occurred.
action: Action &log;
}; };
## Logs all tunnels in an ecapsulation chain with action ## Logs all tunnels in an encapsulation chain with action
## :bro:see:`Tunnel::DISCOVER` that aren't already in the ## :bro:see:`Tunnel::DISCOVER` that aren't already in the
## :bro:id:`Tunnel::active` table and adds them if not. ## :bro:id:`Tunnel::active` table and adds them if not.
global register_all: function(ecv: EncapsulatingConnVector); global register_all: function(ecv: EncapsulatingConnVector);
@ -71,7 +74,7 @@ export {
## The amount of time a tunnel is not used in establishment of new ## The amount of time a tunnel is not used in establishment of new
## connections before it is considered inactive/expired. ## connections before it is considered inactive/expired.
const expiration_interval = 24hrs &redef; const expiration_interval = 1hrs &redef;
## Currently active tunnels. That is, tunnels for which new, encapsulated ## Currently active tunnels. That is, tunnels for which new, encapsulated
## connections have been seen in the interval indicated by ## connections have been seen in the interval indicated by
@ -104,6 +107,7 @@ function register(ec: EncapsulatingConn)
{ {
local tunnel: Info; local tunnel: Info;
tunnel$ts = network_time(); tunnel$ts = network_time();
if ( ec?$uid )
tunnel$uid = ec$uid; tunnel$uid = ec$uid;
tunnel$id = ec$cid; tunnel$id = ec$cid;
tunnel$action = DISCOVER; tunnel$action = DISCOVER;

2
scripts/base/init-bare.bro
View file

@ -191,7 +191,7 @@ export {
tunnel_type: Tunnel::Type; tunnel_type: Tunnel::Type;
## A globally unique identifier that, for non-IP-in-IP tunnels, ## A globally unique identifier that, for non-IP-in-IP tunnels,
## cross-references the *uid* field of :bro:type:`connection`. ## cross-references the *uid* field of :bro:type:`connection`.
uid: string; uid: string &optional;
} &log; } &log;
} # end export } # end export
module GLOBAL; module GLOBAL;