Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

analyzer: Cap analyzer violations at 1000 per analyzer instance

Browse source
This commit is contained in:
Arne Welzel 2022-10-12 17:35:52 +02:00 committed by Tim Wojtulewicz
parent 557ffe7bbc
commit c58cdf407a
5 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
NEWS
View file

@ -117,6 +117,14 @@ Changed Functionality
- Passing non-string ``sep`` and ``def`` arguments to ``cat_sep()`` isn't a - Passing non-string ``sep`` and ``def`` arguments to ``cat_sep()`` isn't a
fatal error anymore. More descriptive error messages are produced, too. fatal error anymore. More descriptive error messages are produced, too.
- The number of analyzer violation events that can be raised by protocol
analyzer instances is now capped by the const ``max_analyzer_violation_events``.
Its default is 1000 and the main purpose is to prevent analyzers from
scheduling too many ``analyzer_violation_info`` events before the
DPD ``max_violations`` script-level logic has a chance to run and disable
the problematic analyzer.
Deprecated Functionality Deprecated Functionality
------------------------ ------------------------

13
scripts/base/init-bare.zeek
View file

@ -2312,6 +2312,19 @@ type AnalyzerViolationInfo: record {
data: string &optional; data: string &optional;
}; };
## The maximum number of analyzer violations the core generates before
## suppressing them for a given analyzer instance. A weird providing
## information about the analyzer and connection is generated once the
## limit is reached.
##
## An analyzer generating this many violations is unlikely parsing
## the right protocol or potentially buggy.
##
## See also :zeek:see:`DPD::max_violations` which controls disabling
## analyzers through script logic after a certain number of violations
## was observed.
const max_analyzer_violations = 1000 &redef;
module NFS3; module NFS3;

10
src/analyzer/Analyzer.cc
View file

@ -754,6 +754,16 @@ void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len,
{ {
const auto& effective_tag = arg_tag ? arg_tag : tag; const auto& effective_tag = arg_tag ? arg_tag : tag;
++analyzer_violations;
if ( analyzer_violations > BifConst::max_analyzer_violations )
{
if ( analyzer_violations == BifConst::max_analyzer_violations + 1 )
Weird("too_many_analyzer_violations");
return;
}
if ( analyzer_violation_info ) if ( analyzer_violation_info )
EnqueueAnalyzerViolationInfo(reason, data, len, effective_tag); EnqueueAnalyzerViolationInfo(reason, data, len, effective_tag);

2
src/analyzer/Analyzer.h
View file

@ -750,6 +750,8 @@ private:
bool finished; bool finished;
bool removing; bool removing;
uint64_t analyzer_violations = 0;
static ID id_counter; static ID id_counter;
}; };

1
src/const.bif
View file

@ -9,6 +9,7 @@ const detect_filtered_trace: bool;
const report_gaps_for_partial: bool; const report_gaps_for_partial: bool;
const exit_only_after_terminate: bool; const exit_only_after_terminate: bool;
const digest_salt: string; const digest_salt: string;
const max_analyzer_violations: count;
const NFS3::return_data: bool; const NFS3::return_data: bool;
const NFS3::return_data_max: count; const NFS3::return_data_max: count;