mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
Merge remote-tracking branch 'origin/topic/seth/fix-packetfilter-log'
* origin/topic/seth/fix-packetfilter-log: Hack to make sure that the starting BPF filter is logged on clusters.
This commit is contained in:
Seth Hall
commit
ccc7b7669d
4 changed files with 29 additions and 9 deletions
|
|
@ -1,3 +1,8 @@
|
||||||
@load ./utils
|
@load ./utils
|
||||||
@load ./main
|
@load ./main
|
||||||
@load ./netstats
|
@load ./netstats
|
||||||
|
|
||||||
|
@load base/frameworks/cluster
|
||||||
|
@if ( Cluster::is_enabled() )
|
||||||
|
@load ./cluster
|
||||||
|
@endif
|
||||||
|
|
|
||||||
14
scripts/base/frameworks/packet-filter/cluster.bro
Normal file
14
scripts/base/frameworks/packet-filter/cluster.bro
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
|
||||||
|
module PacketFilter;
|
||||||
|
|
||||||
|
event remote_connection_handshake_done(p: event_peer) &priority=3
|
||||||
|
{
|
||||||
|
if ( Cluster::local_node_type() == Cluster::WORKER &&
|
||||||
|
p$descr in Cluster::nodes &&
|
||||||
|
Cluster::nodes[p$descr]$node_type == Cluster::MANAGER )
|
||||||
|
{
|
||||||
|
# This ensures that a packet filter is installed and logged
|
||||||
|
# after the manager connects to us.
|
||||||
|
install();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -294,6 +294,7 @@ function install(): bool
|
||||||
# Do an audit log for the packet filter.
|
# Do an audit log for the packet filter.
|
||||||
local info: Info;
|
local info: Info;
|
||||||
info$ts = network_time();
|
info$ts = network_time();
|
||||||
|
info$node = peer_description;
|
||||||
# If network_time() is 0.0 we're at init time so use the wall clock.
|
# If network_time() is 0.0 we're at init time so use the wall clock.
|
||||||
if ( info$ts == 0.0 )
|
if ( info$ts == 0.0 )
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -3,28 +3,28 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path packet_filter
|
#path packet_filter
|
||||||
#open 2013-08-12-18-24-49
|
#open 2013-10-24-18-53-49
|
||||||
#fields ts node filter init success
|
#fields ts node filter init success
|
||||||
#types time string string bool bool
|
#types time string string bool bool
|
||||||
1376331889.617206 - ip or not ip T T
|
1382640829.338079 bro ip or not ip T T
|
||||||
#close 2013-08-12-18-24-49
|
#close 2013-10-24-18-53-49
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path packet_filter
|
#path packet_filter
|
||||||
#open 2013-08-12-18-24-49
|
#open 2013-10-24-18-53-49
|
||||||
#fields ts node filter init success
|
#fields ts node filter init success
|
||||||
#types time string string bool bool
|
#types time string string bool bool
|
||||||
1376331889.904944 - port 42 T T
|
1382640829.495639 bro port 42 T T
|
||||||
#close 2013-08-12-18-24-49
|
#close 2013-10-24-18-53-49
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path packet_filter
|
#path packet_filter
|
||||||
#open 2013-08-12-18-24-50
|
#open 2013-10-24-18-53-49
|
||||||
#fields ts node filter init success
|
#fields ts node filter init success
|
||||||
#types time string string bool bool
|
#types time string string bool bool
|
||||||
1376331890.192875 - (vlan) and (ip or not ip) T T
|
1382640829.653368 bro (vlan) and (ip or not ip) T T
|
||||||
#close 2013-08-12-18-24-50
|
#close 2013-10-24-18-53-49
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue