Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples'

* origin/topic/christian/extensible-conntuples: btest/plugins: Add test for custom ConnKey factory NEWS updates for pluggable connection tuples. Add a VLAN-aware flow tuple implementation. Deprecate ConnTuple and related APIs. Deprecate the old Connection constructor and detail::ConnKey class. Switch to virtualized use of new zeek::ConnKey class tree Provide a connkey factory for Zeek's default five-tuples. Add IP-specific ConnKey implementation. Establish plugin infrastructure for ConnKey factories. Add new ConnKey abstraction. (cherry picked from commit cd934c460b) With all the conflicts.
2025-10-16 21:48:21 +00:00 · 2025-06-25 14:17:35 +02:00 · 2025-06-25 14:17:35 +02:00 · dd447c3f15
commit dd447c3f15
parent 927b41db7d
69 changed files with 1815 additions and 80 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -388,6 +388,295 @@ type endpoint_stats: record {
 	endian_type: count;
 };

+<<<<<<< HEAD
+=======
+## Record containing information about a tag.
+##
+## .. zeek:see:: get_tags_by_category
+type tag_component: record {
+	name: string;
+	canonical_name: string;
+	tag: string;
+	enabled: bool;
+};
+
+type tag_component_vec : vector of tag_component;
+
+## Arguments given to Zeek from the command line. In order to use this, Zeek
+## must use a ``--`` command line argument immediately followed by a script
+## file and additional arguments after that. For example::
+##
+##   zeek --bare-mode -- myscript.zeek -a -b -c
+##
+## To use Zeek as an executable interpreter, include a line at the top of a script
+## like the following and make the script executable::
+##
+##   #!/usr/local/zeek/bin/zeek --
+const zeek_script_args: vector of string = vector();
+
+## BPF filter the user has set via the -f command line options. Empty if none.
+const cmd_line_bpf_filter = "" &redef;
+
+## Base time of log rotations in 24-hour time format (``%H:%M``), e.g. "12:00".
+const log_rotate_base_time = "0:00" &redef;
+
+## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
+## and not report missing segments for such connections.
+## If this is enabled, then missing data at the end of connections may not
+## be reported via :zeek:see:`content_gap`.
+const detect_filtered_trace = F &redef;
+
+## Whether we want :zeek:see:`content_gap` for partial
+## connections. A connection is partial if it is missing a full handshake. Note
+## that gap reports for partial connections might not be reliable.
+##
+## .. zeek:see:: content_gap partial_connection
+const report_gaps_for_partial = F &redef;
+
+## Flag to prevent Zeek from exiting automatically when input is exhausted.
+## Normally Zeek terminates when all packet sources have gone dry
+## and communication isn't enabled. If this flag is set, Zeek's main loop will
+## instead keep idling until :zeek:see:`terminate` is explicitly called.
+##
+## This is mainly for testing purposes when termination behaviour needs to be
+## controlled for reproducing results.
+const exit_only_after_terminate = F &redef;
+
+## Default mode for Zeek's user-space dynamic packet filter. If true, packets
+## that aren't explicitly allowed through, are dropped from any further
+## processing.
+##
+## .. note:: This is not the BPF packet filter but an additional dynamic filter
+##    that Zeek optionally applies just before normal processing starts.
+##
+## .. zeek:see:: install_dst_addr_filter install_dst_net_filter
+##    install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
+##    uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
+const packet_filter_default = F &redef;
+
+## Maximum size of regular expression groups for signature matching.
+const sig_max_group_size = 50 &redef;
+
+## Description transmitted to remote communication peers for identification.
+const peer_description = "zeek" &redef;
+
+## Reassemble the beginning of all TCP connections before doing
+## signature matching. Enabling this provides more accurate matching at the
+## expense of CPU cycles.
+##
+## .. zeek:see:: dpd_buffer_size
+##    dpd_match_only_beginning dpd_ignore_ports
+##
+## .. note:: Despite the name, this option affects *all* signature matching, not
+##    only signatures used for dynamic protocol detection.
+const dpd_reassemble_first_packets = T &redef;
+
+## Size of per-connection buffer used for dynamic protocol detection. For each
+## connection, Zeek buffers this initial amount of payload in memory so that
+## complete protocol analysis can start even after the initial packets have
+## already passed through (i.e., when a DPD signature matches only later).
+## However, once the buffer is full, data is deleted and lost to analyzers that
+## are activated afterwards. Then only analyzers that can deal with partial
+## connections will be able to analyze the session.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
+##    dpd_ignore_ports dpd_max_packets
+const dpd_buffer_size = 1024 &redef;
+
+## Maximum number of per-connection packets that will be buffered for dynamic
+## protocol detection. For each connection, Zeek buffers up to this amount
+## of packets in memory so that complete protocol analysis can start even after
+## the initial packets have already passed through (i.e., when a DPD signature
+## matches only later). However, once the buffer is full, data is deleted and lost
+## to analyzers that are activated afterwards. Then only analyzers that can deal
+## with partial connections will be able to analyze the session.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
+##    dpd_ignore_ports dpd_buffer_size
+const dpd_max_packets = 100 &redef;
+
+## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been
+## reached.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_ignore_ports
+##
+## .. note:: Despite the name, this option affects *all* signature matching, not
+##    only signatures used for dynamic protocol detection.
+const dpd_match_only_beginning = T &redef;
+
+## If true, stops signature matching after a late match. A late match may occur
+## in case the DPD buffer is exhausted but a protocol signature matched. To
+## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning
+##
+## .. note:: Despite the name, this option stops *all* signature matching, not
+##    only signatures used for dynamic protocol detection but is triggered by
+##    DPD signatures only.
+const dpd_late_match_stop = F &redef;
+
+## If true, don't consider any ports for deciding which protocol analyzer to
+## use.
+##
+## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+##    dpd_match_only_beginning
+const dpd_ignore_ports = F &redef;
+
+## Ports which the core considers being likely used by servers. For ports in
+## this set, it may heuristically decide to flip the direction of the
+## connection if it misses the initial handshake.
+const likely_server_ports: set[port] &redef;
+
+## Holds the filename of the trace file given with ``-w`` (empty if none).
+##
+## .. zeek:see:: record_all_packets
+const trace_output_file = "";
+
+## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
+## By default, Zeek applies (very few) heuristics to reduce the volume. A side
+## effect of setting this to true is that we can write the packets out before we
+## actually process them, which can be helpful for debugging in case the
+## analysis triggers a crash.
+##
+## .. zeek:see:: trace_output_file
+const record_all_packets = F &redef;
+
+## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`.  Some
+## connections (e.g., SSH) retransmit the acknowledged last byte to keep the
+## connection alive. If *ignore_keep_alive_rexmit* is set to true, such
+## retransmissions will be excluded in the rexmit counter in
+## :zeek:see:`conn_stats`.
+##
+## .. zeek:see:: conn_stats
+const ignore_keep_alive_rexmit = F &redef;
+
+
+
+## Seed for hashes computed internally for probabilistic data structures. Using
+## the same value here will make the hashes compatible between independent Zeek
+## instances. If left unset, Zeek will use a temporary local seed.
+const global_hash_seed: string = "" &redef;
+
+## Number of bits in UIDs that are generated to identify connections and
+## files.  The larger the value, the more confidence in UID uniqueness.
+## The maximum is currently 128 bits.
+const bits_per_uid: count = 96 &redef;
+
+## This salt value is used for several message digests in Zeek. We
+## use a salt to help mitigate the possibility of an attacker
+## manipulating source data to, e.g., mount complexity attacks or
+## cause ID collisions.
+## This salt is, for example, used by :zeek:see:`get_file_handle`
+## to generate installation-unique file IDs (the *id* field of :zeek:see:`fa_file`).
+const digest_salt = "Please change this value." &redef;
+
+## Maximum string length allowed for calls to the :zeek:see:`find_all` and
+## :zeek:see:`find_all_ordered` BIFs.
+const max_find_all_string_length: int = 10000 &redef;
+
+## How many rounds to go without checking IO sources with file descriptors
+## for readiness by default. This is used when reading from traces.
+##
+## Very roughly, when reading from a pcap, setting this to 100 results in
+## 100 packets being processed without checking FD based IO sources.
+##
+## .. note:: This should not be changed outside of development or when
+##    debugging problems with the main-loop, or developing features with
+##    tight main-loop interaction.
+##
+## .. zeek:see:: io_poll_interval_live
+const io_poll_interval_default = 100 &redef;
+
+## How often to check IO sources with file descriptors for readiness when
+## monitoring with a live packet source.
+##
+## The poll interval gets defaulted to 100 which is good for cases like reading
+## from pcap files and when there isn't a packet source, but is a little too
+## infrequent for live sources (especially fast live sources). Set it down a
+## little bit for those sources.
+##
+## .. note:: This should not be changed outside of development or when
+##    debugging problems with the main-loop, or developing features with
+##    tight main-loop interaction.
+##
+## .. zeek:see:: io_poll_interval_default
+const io_poll_interval_live = 10 &redef;
+
+## Whether Zeek is being run under test. This can be used to alter functionality
+## while testing, but should be used sparingly.
+const running_under_test: bool = F &redef;
+
+## The amount of time before a connection created by the netbios analyzer times
+## out and is removed.
+const netbios_ssn_session_timeout: interval = 15 sec &redef;
+
+module EventMetadata;
+
+export {
+	## Enum type for metadata identifiers.
+	type ID: enum {
+		NETWORK_TIMESTAMP = 1,
+	};
+
+	## A event metadata entry.
+	type Entry: record {
+		id: EventMetadata::ID; ##< The registered :zeek:see:`EventMetadata::ID` value.
+		val: any;              ##< The value. Its type matches what was passed to :zeek:see:`EventMetadata::register`.
+	};
+
+	## Add network timestamp metadata to all events.
+	##
+	## Adding network timestamp metadata affects local and
+	## remote events. Events scheduled have a network timestamp
+	## of when the scheduled timer was supposed to expire, which
+	## might be a value before the network_time() when the event
+	## was actually dispatched.
+	const add_network_timestamp: bool = F &redef;
+
+	## By default, remote events without network timestamp metadata
+	## will yield a negative zeek:see:`current_event_time` during
+	## processing. To have the receiving Zeek node set the event's
+	## network timestamp metadata with its current local network time,
+	## set this option to true.
+	##
+	## This setting is only in effect if :zeek:see:`EventMetadata::add_network_timestamp`
+	## is also set to true.
+	const add_missing_remote_network_timestamp: bool = F &redef;
+}
+
+module ConnKey;
+
+export {
+	## The connection key factory to use for Zeek's internal connection
+	## tracking. This is a ``ConnKey::Tag`` plugin component enum value,
+	## and the default is Zeek's traditional 5-tuple-tracking based on
+	## IP/port endpoint pairs, plus transport protocol. Plugins can provide
+	## their own implementation. You'll usually not adjust this value in
+	## isolation, but with a corresponding redef of the :zeek:type:`conn_id`
+	## record to represent additional connection tuple members.
+	const factory = ConnKey::CONNKEY_FIVETUPLE &redef;
+}
+
+module FTP;
+
+export {
+	## Limits the size of commands accepted by the FTP analyzer. Longer commands
+	## raise a FTP_max_command_length_exceeded weird and are discarded.
+	const max_command_length = 100 &redef;
+}
+
+module SMTP;
+
+export {
+	## The maximum line length within a BDAT chunk before a forceful linebreak
+	## is introduced and a weird is raised. Conventionally, MIME messages
+	## have a maximum line length of 1000 octets when properly encoded.
+	const bdat_max_line_length = 4096 &redef;
+}
+
+>>>>>>> cd934c460b (Merge remote-tracking branch 'origin/topic/christian/extensible-conntuples')
 module TCP;
 export {
 	## A TCP Option field parsed from a TCP header.