Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Rename analyzer.log to analyzer.debug log; move to policy

Browse source 
The current analyzer.log is more useful for debugging than for
operational purposes. Hence this is disabled by default, moved to a
policy script, and the log is renamed to analyzer-debug.log.

Furthermore, logging of analyzer confirmations and disabling analyzers
are now enabled by default.
This commit is contained in:
Johanna Amann 2025-03-27 16:48:49 +00:00
parent 6183c5086b
commit c55e21da71
3 changed files with 41 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

5
scripts/base/frameworks/analyzer/dpd.zeek
View file

@ -1,4 +1,5 @@
##! Disables analyzers if protocol violations occur.
##! Disables analyzers if protocol violations occur, and add service information
##! to connection log.
module DPD;
@ -27,6 +28,7 @@ redef record connection += {
service_violation: set[string] &default=set() &ordered;
};
## add confirmed protocol analyzers to conn.log service field
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@ -40,6 +42,7 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
add c$service[analyzer];
}
## Remove failed analyzers from service field and add them to c$service_violation
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=10
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )