diff --git a/CHANGES b/CHANGES index fc2e063b75..d3ef4453b1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,12 @@ +7.1.0-dev.481 | 2024-11-11 09:34:10 +0100 + + * policy/community-id: Populate conn$community_id in new_connection() (Arne Welzel, Corelight) + + This wasn't possible before #3028 was fixed, but now it's safe to set + the value in new_connection() and allow other users access to the + field much earlier. We do not have to deal with connection_flipped() + because the community-id hash is symmetric. + 7.1.0-dev.478 | 2024-11-08 18:36:07 +0100 * Fixed ZAM memory leak when coercing values to "any" (Vern Paxson, Corelight) diff --git a/NEWS b/NEWS index 0098c11e95..3b5b580fe0 100644 --- a/NEWS +++ b/NEWS @@ -103,6 +103,10 @@ Changed Functionality of a node are scraped via the Prometheus HTTP endpoint, or one of the collect methods is invoked from Zeek script. +* The community-id-logging.zeek policy script was used to set ``c$conn$community_id`` + during ``new_connection()`` rather than ``connection_state_remove()``, allowing + other scripts to reuse its value early. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 9c05caa52d..eb160a8ddb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-dev.478 +7.1.0-dev.481 diff --git a/scripts/policy/frameworks/notice/community-id.zeek b/scripts/policy/frameworks/notice/community-id.zeek index a1b9a65659..8dc71b1561 100644 --- a/scripts/policy/frameworks/notice/community-id.zeek +++ b/scripts/policy/frameworks/notice/community-id.zeek @@ -20,6 +20,12 @@ export { hook Notice::notice(n: Notice::Info) { - if ( CommunityID::Notice::enabled && n?$conn ) - n$community_id = community_id_v1(n$conn$id, CommunityID::seed, CommunityID::do_base64); + if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn ) + { + local info = n$conn$conn; + # This is set during new_connection(), so it should + # always be there, but better safe than sorry. + if ( info?$community_id ) + n$community_id = info$community_id; + } } diff --git a/scripts/policy/protocols/conn/community-id-logging.zeek b/scripts/policy/protocols/conn/community-id-logging.zeek index a08430727b..be8a7f8b7f 100644 --- a/scripts/policy/protocols/conn/community-id-logging.zeek +++ b/scripts/policy/protocols/conn/community-id-logging.zeek @@ -17,7 +17,10 @@ export { }; } -event connection_state_remove(c: connection) +module Conn; + +event new_connection(c: connection) &priority=5 { + Conn::set_conn(c, F); # likely first to access :-/ c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64); } diff --git a/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut index 7227d38c91..3fc24c4d1e 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut +++ b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut @@ -1,3 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. - - - - - - COMMUNITY_ID_INIT Zeek initializing +141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_NEW_CONNECTION New connection 141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_CONN_ESTABLISHED Connection establishment diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut new file mode 100644 index 0000000000..b02a020eb9 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +141.142.228.5 59856 192.150.187.43 80 tcp - 1:yvyB8h+3dnggTZW0UEITWCst97w= diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out new file mode 100644 index 0000000000..d70fe804fb --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +new_connection, CHhAvVGS1DHFjwGM9, 1:yvyB8h+3dnggTZW0UEITWCst97w= diff --git a/testing/btest/scripts/policy/frameworks/notice/community-id.zeek b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek index 8383017c63..07fd57a77d 100644 --- a/testing/btest/scripts/policy/frameworks/notice/community-id.zeek +++ b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek @@ -13,6 +13,7 @@ redef enum Notice::Type += { COMMUNITY_ID_INIT, COMMUNITY_ID_CONN_ESTABLISHED, + COMMUNITY_ID_NEW_CONNECTION, }; event zeek_init() @@ -22,6 +23,14 @@ event zeek_init() $msg="Zeek initializing"]); } +event new_connection(c: connection) + { + # A notice with connection context + NOTICE([$note=COMMUNITY_ID_NEW_CONNECTION, + $msg="New connection", + $conn=c]); + } + event connection_established(c: connection) { # A notice with connection context diff --git a/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek b/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek new file mode 100644 index 0000000000..a7c425dca3 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek @@ -0,0 +1,13 @@ +# @TEST-DOC: Ensure community_id is logged even if the connection is flipped. + +# @TEST-EXEC: zeek -b -r $TRACES/tcp/handshake-reorder.trace %INPUT >out +# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service community_id < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut + +@load protocols/conn/community-id-logging + +event new_connection(c: connection) + { + print "new_connection", c$uid, c$conn$community_id; + }