Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'pbcullen/topic/pbcullen/remove_exclude'

Browse source 
* pbcullen/topic/pbcullen/remove_exclude:
  Update core.pcap.filter-warning baseline
  Add PacketFilter::remove_exclude function
This commit is contained in:
Tim Wojtulewicz 2024-04-18 09:02:14 -07:00
commit d566961da5
5 changed files with 31 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
CHANGES
View file

@ -1,3 +1,14 @@
7.0.0-dev.136 | 2024-04-18 09:02:14 -0700
* Update core.pcap.filter-warning baseline (Peter Cullen, Corelight)
Only the line numbers changed.
* Add PacketFilter::remove_exclude function (Peter Cullen, Corelight)
This adds a public function to the PacketFilter framework that
allows the caller to remove an exclude filter by filter id.
7.0.0-dev.132 | 2024-04-17 14:59:43 -0700 7.0.0-dev.132 | 2024-04-17 14:59:43 -0700
* Parse and store localversion string (Peter Cullen, Corelight) * Parse and store localversion string (Peter Cullen, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.0.0-dev.132 7.0.0-dev.136

17
scripts/base/frameworks/packet-filter/main.zeek
View file

@ -101,6 +101,16 @@ export {
## installed or not. ## installed or not.
global exclude_for: function(filter_id: string, filter: string, span: interval): bool; global exclude_for: function(filter_id: string, filter: string, span: interval): bool;
## Remove a previously added exclude filter fragment by name. The
## traffic that was being filtered will be allowed through the filter
## after calling this function.
##
## filter_id: The name given to the filter fragment which you'd like to remove.
##
## Returns: A boolean value to indicate if a filter fragment with the given name
## actually installed.
global remove_exclude: function(filter_id: string): bool;
## Call this function to build and install a new dynamically built ## Call this function to build and install a new dynamically built
## packet filter. ## packet filter.
global install: function(): bool; global install: function(): bool;
@ -194,12 +204,19 @@ function register_filter_plugin(fp: FilterPlugin)
} }
event remove_dynamic_filter(filter_id: string) event remove_dynamic_filter(filter_id: string)
{
remove_exclude(filter_id);
}
function remove_exclude(filter_id: string): bool
{ {
if ( filter_id in dynamic_restrict_filters ) if ( filter_id in dynamic_restrict_filters )
{ {
delete dynamic_restrict_filters[filter_id]; delete dynamic_restrict_filters[filter_id];
install(); install();
return T;
} }
return F;
} }
function exclude(filter_id: string, filter: string): bool function exclude(filter_id: string, filter: string): bool

2
testing/btest/Baseline/core.pcap.filter-warning/output
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/main.zeek, line 307: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented warning in <...>/main.zeek, line 324: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented

2
testing/btest/Baseline/core.pcap.filter-warning/reporter.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts level message location #fields ts level message location
#types time enum string string #types time enum string string
XXXXXXXXXX.XXXXXX Reporter::WARNING Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented <...>/main.zeek, line 307 XXXXXXXXXX.XXXXXX Reporter::WARNING Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented <...>/main.zeek, line 324
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX