mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 10:38:20 +00:00
Fixes in case a packet isn't seen that matches an event.
This commit is contained in:
Seth Hall
parent
f7c6dd7f7e
commit
e0de1a2d00
1 changed files with 53 additions and 31 deletions
|
|
@ -59,18 +59,9 @@ export {
|
||||||
## Event ID.
|
## Event ID.
|
||||||
event_id: count &log;
|
event_id: count &log;
|
||||||
## Some of the packet data.
|
## Some of the packet data.
|
||||||
packet: string &log;
|
packet: string &log &optional;
|
||||||
} &log;
|
} &log;
|
||||||
|
|
||||||
redef record fa_file += {
|
|
||||||
## Add a field to store per-file state about Unified2 files.
|
|
||||||
unified2: Info &optional;
|
|
||||||
|
|
||||||
## Recently received IDS events. This is primarily used
|
|
||||||
## for tying together Unified2 events and packets.
|
|
||||||
u2_events: table[count] of Unified2::IDSEvent &optional &create_expire=5sec;
|
|
||||||
};
|
|
||||||
|
|
||||||
## The event for accessing logged records.
|
## The event for accessing logged records.
|
||||||
global log_unified2: event(rec: Info);
|
global log_unified2: event(rec: Info);
|
||||||
}
|
}
|
||||||
|
|
@ -85,6 +76,41 @@ type OneLine: record {
|
||||||
line: string;
|
line: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
function create_info(ev: IDSEvent): Info
|
||||||
|
{
|
||||||
|
local info = Info($ts=ev$ts,
|
||||||
|
$id=PacketID($src_ip=ev$src_ip, $src_p=ev$src_p,
|
||||||
|
$dst_ip=ev$dst_ip, $dst_p=ev$dst_p),
|
||||||
|
$sensor_id=ev$sensor_id,
|
||||||
|
$signature_id=ev$signature_id,
|
||||||
|
$generator_id=ev$generator_id,
|
||||||
|
$signature_revision=ev$signature_revision,
|
||||||
|
$classification_id=ev$classification_id,
|
||||||
|
$priority_id=ev$priority_id,
|
||||||
|
$event_id=ev$event_id);
|
||||||
|
|
||||||
|
if ( ev$signature_id in sid_map )
|
||||||
|
info$signature=sid_map[ev$signature_id];
|
||||||
|
if ( ev$generator_id in gen_map )
|
||||||
|
info$generator=gen_map[ev$generator_id];
|
||||||
|
if ( ev$classification_id in classification_map )
|
||||||
|
info$classification=classification_map[ev$classification_id];
|
||||||
|
|
||||||
|
return info;
|
||||||
|
}
|
||||||
|
|
||||||
|
redef record fa_file += {
|
||||||
|
## Recently received IDS events. This is primarily used
|
||||||
|
## for tying together Unified2 events and packets.
|
||||||
|
u2_events: table[count] of Unified2::IDSEvent
|
||||||
|
&optional &create_expire=5sec
|
||||||
|
&expire_func=function(t: table[count] of Unified2::IDSEvent, event_id: count): interval
|
||||||
|
{
|
||||||
|
Log::write(LOG, create_info(t[event_id]));
|
||||||
|
return 0secs;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string)
|
event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string)
|
||||||
{
|
{
|
||||||
local parts = split_n(line, / \|\| /, F, 100);
|
local parts = split_n(line, / \|\| /, F, 100);
|
||||||
|
|
@ -153,7 +179,7 @@ event bro_init()
|
||||||
{
|
{
|
||||||
Input::add_analysis([$source=fname,
|
Input::add_analysis([$source=fname,
|
||||||
$reader=Input::READER_BINARY,
|
$reader=Input::READER_BINARY,
|
||||||
$mode=Input::MANUAL,
|
$mode=Input::STREAM,
|
||||||
$name=fname]);
|
$name=fname]);
|
||||||
}, 10secs);
|
}, 10secs);
|
||||||
}
|
}
|
||||||
|
|
@ -162,7 +188,7 @@ event bro_init()
|
||||||
{
|
{
|
||||||
Input::add_analysis([$source=watch_file,
|
Input::add_analysis([$source=watch_file,
|
||||||
$reader=Input::READER_BINARY,
|
$reader=Input::READER_BINARY,
|
||||||
$mode=Input::MANUAL,
|
$mode=Input::STREAM,
|
||||||
$name=watch_file]);
|
$name=watch_file]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -199,24 +225,20 @@ event unified2_packet(f: fa_file, pkt: Unified2::Packet)
|
||||||
|
|
||||||
event Unified2::alert(f: fa_file, ev: IDSEvent, pkt: Packet)
|
event Unified2::alert(f: fa_file, ev: IDSEvent, pkt: Packet)
|
||||||
{
|
{
|
||||||
local info = Info($ts=ev$ts,
|
local info = create_info(ev);
|
||||||
$id=PacketID($src_ip=ev$src_ip, $src_p=ev$src_p,
|
info$packet=pkt$data;
|
||||||
$dst_ip=ev$dst_ip, $dst_p=ev$dst_p),
|
|
||||||
$sensor_id=ev$sensor_id,
|
|
||||||
$signature_id=ev$signature_id,
|
|
||||||
$generator_id=ev$generator_id,
|
|
||||||
$signature_revision=ev$signature_revision,
|
|
||||||
$classification_id=ev$classification_id,
|
|
||||||
$priority_id=ev$priority_id,
|
|
||||||
$event_id=ev$event_id,
|
|
||||||
$packet=pkt$data);
|
|
||||||
|
|
||||||
if ( ev$signature_id in sid_map )
|
|
||||||
info$signature=sid_map[ev$signature_id];
|
|
||||||
if ( ev$generator_id in gen_map )
|
|
||||||
info$generator=gen_map[ev$generator_id];
|
|
||||||
if ( ev$classification_id in classification_map )
|
|
||||||
info$classification=classification_map[ev$classification_id];
|
|
||||||
|
|
||||||
Log::write(LOG, info);
|
Log::write(LOG, info);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
event file_state_remove(f: fa_file)
|
||||||
|
{
|
||||||
|
if ( f?$u2_events )
|
||||||
|
{
|
||||||
|
# In case any events never had matching packets, flush
|
||||||
|
# the extras to the log.
|
||||||
|
for ( i in f$u2_events )
|
||||||
|
{
|
||||||
|
Log::write(LOG, create_info(f$u2_events[i]));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue