Merge remote-tracking branch 'origin/master' into topic/johanna/GH-169

2025-10-02 06:38:20 +00:00 · 2020-10-15 15:31:23 +00:00 · 2020-10-15 15:31:23 +00:00 · e95e9b8a5d
commit e95e9b8a5d
parent f4d9cf5f89 5f1ee35d31
42 changed files with 508 additions and 86 deletions
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@ -162,7 +162,8 @@ export {
 		## can specify a particular :rfc:`4007` ``zone_id``.
 		zone_id:      string      &default="";
 		## The port that this node will listen on for peer connections.
-		p:            port;
+		## A value of ``0/unknown`` means the node is not pre-configured to listen.
+		p:            port        &default=0/unknown;
 		## Identifier for the interface a worker is sniffing.
 		interface:    string      &optional;
 		## Name of the manager node this node uses.  For workers and proxies.
--- a/scripts/base/frameworks/cluster/setup-connections.zeek
+++ b/scripts/base/frameworks/cluster/setup-connections.zeek
@ -89,11 +89,15 @@ event zeek_init() &priority=-10
 	Broker::subscribe(nodeid_topic(Broker::node_id()));
 	Broker::subscribe(node_topic(node));

-	Broker::listen(Broker::default_listen_address,
-	               self$p,
-	               Broker::default_listen_retry);
+	if ( self$p != 0/unknown )
+		{
+		Broker::listen(Broker::default_listen_address,
+		               self$p,
+		               Broker::default_listen_retry);
+
+		Cluster::log(fmt("listening on %s:%s", Broker::default_listen_address, self$p));
+		}

-	Cluster::log(fmt("listening on %s:%s", Broker::default_listen_address, self$p));

 	switch ( self$node_type ) {
 	case MANAGER:
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -454,6 +454,18 @@ type connection: record {
 	inner_vlan: int &optional;
 };

+## Arguments given to Zeek from the command line. In order to use this, Zeek
+## must use a ``--`` command line argument immediately followed by a script
+## file and additional arguments after that. For example::
+##
+##   zeek --bare-mode -- myscript.zeek -a -b -c
+##
+## To use Zeek as an executable interpreter, include a line at the top of a script
+## like the following and make the script executable::
+##
+##   #!/usr/local/zeek/bin/zeek --
+const zeek_script_args: vector of string = vector();
+
 ## Default amount of time a file can be inactive before the file analysis
 ## gives up and discards any internal state related to the file.
 option default_file_timeout_interval: interval = 2 mins;
@ -4976,6 +4988,26 @@ export {
 	## Number of Mbytes to provide as buffer space when capturing from live
 	## interfaces.
 	const bufsize = 128 &redef;
+
+	## The definition of a "pcap interface".
+	type Interface: record {
+		## The interface/device name.
+		name: string;
+		## A human-readable description of the device.
+		description: string &optional;
+		## The network addresses associated with the device.
+		addrs: set[addr];
+		## Whether the device is a loopback interface.  E.g. addresses
+		## of ``127.0.0.1`` or ``[::1]`` are used by loopback interfaces.
+		is_loopback: bool;
+
+		## Whether the device is up.  Not set when that info is unavailable.
+		is_up: bool &optional;
+		## Whether the device is running.  Not set when that info is unavailable.
+		is_running: bool &optional;
+	};
+
+	type Interfaces: set[Pcap::Interface];
 } # end export

 module DCE_RPC;
--- a/scripts/policy/misc/capture-loss.zeek
+++ b/scripts/policy/misc/capture-loss.zeek
@ -1,10 +1,10 @@
 ##! This script logs evidence regarding the degree to which the packet
-##! capture process suffers from measurement loss.  
-##! The loss could be due to overload on the host or NIC performing 
-##! the packet capture or it could even be beyond the host.  If you are 
-##! capturing from a switch with a SPAN port, it's very possible that 
+##! capture process suffers from measurement loss.
+##! The loss could be due to overload on the host or NIC performing
+##! the packet capture or it could even be beyond the host.  If you are
+##! capturing from a switch with a SPAN port, it's very possible that
 ##! the switch itself could be overloaded and dropping packets.
-##! Reported loss is computed in terms of the number of "gap events" (ACKs 
+##! Reported loss is computed in terms of the number of "gap events" (ACKs
 ##! for a sequence number that's above a gap).

@load base/frameworks/notice
@ -13,15 +13,18 @@ module CaptureLoss;

 export {
 	redef enum Log::ID += { LOG };
-	
+
 	global log_policy: Log::PolicyHook;

 	redef enum Notice::Type += {
 		## Report if the detected capture loss exceeds the percentage
-		## threshold.
-		Too_Much_Loss
+		## threshold defined in :zeek:id:`CaptureLoss::too_much_loss`.
+		Too_Much_Loss,
+		## Report if the traffic seen by a peer within a given watch
+		## interval is less than :zeek:id:`CaptureLoss::minimum_acks`.
+		Too_Little_Traffic,
 	};
-	
+
 	type Info: record {
 		## Timestamp for when the measurement occurred.
 		ts:           time     &log;
@ -38,25 +41,35 @@ export {
 		## Percentage of ACKs seen where the data being ACKed wasn't seen.
 		percent_lost: double   &log;
 	};
-	
-	## The interval at which capture loss reports are created.
+
+	## The interval at which capture loss reports are created in a
+	## running cluster (that is, after the first report).
 	option watch_interval = 15mins;
-	
-	## The percentage of missed data that is considered "too much" 
+
+	## For faster feedback on cluster health, the first capture loss
+	## report is generated this many minutes after startup.
+	option initial_watch_interval = 1mins;
+
+	## The percentage of missed data that is considered "too much"
 	## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
 	## generated. The value is expressed as a double between 0 and 1 with 1
 	## being 100%.
 	option too_much_loss: double = 0.1;
+
+	## The minimum number of ACKs expected for a single peer in a
+	## watch interval. If the number seen is less than this,
+	## :zeek:enum:`CaptureLoss::Too_Little_Traffic` is raised.
+	option minimum_acks: count = 1;
 }

 event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: count)
 	{
 	if ( last_ts == 0 )
 		{
-		schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
+		schedule initial_watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
 		return;
 		}
-	
+
 	local now = network_time();
 	local g = get_gap_stats();
 	local acks = g$ack_events - last_acks;
@ -65,13 +78,17 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
 	local info: Info = [$ts=now,
 	                    $ts_delta=now-last_ts,
 	                    $peer=peer_description,
-	                    $acks=acks, $gaps=gaps, 
+	                    $acks=acks, $gaps=gaps,
 	                    $percent_lost=pct_lost];
-	
+
 	if ( pct_lost >= too_much_loss*100 )
-		NOTICE([$note=Too_Much_Loss, 
+		NOTICE([$note=Too_Much_Loss,
 		        $msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]);
-	
+
+	if ( acks < minimum_acks )
+		NOTICE([$note=Too_Little_Traffic,
+		        $msg=fmt("Only observed %d TCP ACKs and was expecting at least %d.", acks, minimum_acks)]);
+
 	Log::write(LOG, info);
 	schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
 	}
@ -82,5 +99,5 @@ event zeek_init() &priority=5

 	# We only schedule the event if we are capturing packets.
 	if ( reading_live_traffic() || reading_traces() )
-		schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
+		schedule initial_watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
 	}