Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/community-id-new-connection'

Browse source 
* origin/topic/awelzel/community-id-new-connection:
  policy/community-id: Populate conn$community_id in new_connection()
This commit is contained in:
Arne Welzel 2024-11-11 09:34:10 +01:00
commit d3579c1f34
10 changed files with 53 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGES
View file

@ -1,3 +1,12 @@
7.1.0-dev.481 | 2024-11-11 09:34:10 +0100
* policy/community-id: Populate conn$community_id in new_connection() (Arne Welzel, Corelight)
This wasn't possible before #3028 was fixed, but now it's safe to set
the value in new_connection() and allow other users access to the
field much earlier. We do not have to deal with connection_flipped()
because the community-id hash is symmetric.
7.1.0-dev.478 | 2024-11-08 18:36:07 +0100 7.1.0-dev.478 | 2024-11-08 18:36:07 +0100
* Fixed ZAM memory leak when coercing values to "any" (Vern Paxson, Corelight) * Fixed ZAM memory leak when coercing values to "any" (Vern Paxson, Corelight)

4
NEWS
View file

@ -103,6 +103,10 @@ Changed Functionality
of a node are scraped via the Prometheus HTTP endpoint, or one of the collect of a node are scraped via the Prometheus HTTP endpoint, or one of the collect
methods is invoked from Zeek script. methods is invoked from Zeek script.
* The community-id-logging.zeek policy script was used to set ``c$conn$community_id``
during ``new_connection()`` rather than ``connection_state_remove()``, allowing
other scripts to reuse its value early.
Removed Functionality Removed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.478 7.1.0-dev.481

10
scripts/policy/frameworks/notice/community-id.zeek
View file

@ -20,6 +20,12 @@ export {
hook Notice::notice(n: Notice::Info) hook Notice::notice(n: Notice::Info)
{ {
if ( CommunityID::Notice::enabled && n?$conn ) if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn )
n$community_id = community_id_v1(n$conn$id, CommunityID::seed, CommunityID::do_base64); {
local info = n$conn$conn;
# This is set during new_connection(), so it should
# always be there, but better safe than sorry.
if ( info?$community_id )
n$community_id = info$community_id;
}
} }

5
scripts/policy/protocols/conn/community-id-logging.zeek
View file

@ -17,7 +17,10 @@ export {
}; };
} }
event connection_state_remove(c: connection) module Conn;
event new_connection(c: connection) &priority=5
{ {
Conn::set_conn(c, F); # likely first to access :-/
c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64); c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64);
} }

1
testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut
View file

@ -1,3 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
- - - - - - COMMUNITY_ID_INIT Zeek initializing - - - - - - COMMUNITY_ID_INIT Zeek initializing
141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_NEW_CONNECTION New connection
141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_CONN_ESTABLISHED Connection establishment 141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_CONN_ESTABLISHED Connection establishment

2
testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
141.142.228.5 59856 192.150.187.43 80 tcp - 1:yvyB8h+3dnggTZW0UEITWCst97w=

2
testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
new_connection, CHhAvVGS1DHFjwGM9, 1:yvyB8h+3dnggTZW0UEITWCst97w=

9
testing/btest/scripts/policy/frameworks/notice/community-id.zeek
View file

@ -13,6 +13,7 @@
redef enum Notice::Type += { redef enum Notice::Type += {
COMMUNITY_ID_INIT, COMMUNITY_ID_INIT,
COMMUNITY_ID_CONN_ESTABLISHED, COMMUNITY_ID_CONN_ESTABLISHED,
COMMUNITY_ID_NEW_CONNECTION,
}; };
event zeek_init() event zeek_init()
@ -22,6 +23,14 @@ event zeek_init()
$msg="Zeek initializing"]); $msg="Zeek initializing"]);
} }
event new_connection(c: connection)
{
# A notice with connection context
NOTICE([$note=COMMUNITY_ID_NEW_CONNECTION,
$msg="New connection",
$conn=c]);
}
event connection_established(c: connection) event connection_established(c: connection)
{ {
# A notice with connection context # A notice with connection context

13
testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek Normal file
View file

@ -0,0 +1,13 @@
# @TEST-DOC: Ensure community_id is logged even if the connection is flipped.
# @TEST-EXEC: zeek -b -r $TRACES/tcp/handshake-reorder.trace %INPUT >out
# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service community_id < conn.log > conn.log.cut
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff conn.log.cut
@load protocols/conn/community-id-logging
event new_connection(c: connection)
{
print "new_connection", c$uid, c$conn$community_id;
}