Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Script-layer tunnel interface cleanup.

Browse source 
- Clarify "tunnel_changed" event documentation.

- Make expiration of "Tunnel::active" elements configuration via
  "Tunnel::expiration_interval".

- Remove redundant registration of a connection's tunnels in
  tunnel/main.bro's "tunnel_changed" handler.

- Rename "parents" field of "Conn::Info" to "tunnel_parents"
  to give more context.
This commit is contained in:
Jon Siwek 2012-06-18 12:29:49 -05:00
parent 146cb47d6a
commit f3b3e73eba
11 changed files with 28 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/base/frameworks/tunnels/main.bro
View file

@ -17,7 +17,8 @@ export {
DISCOVER,
## A tunnel connection has closed.
CLOSE,
## No new connections over a tunnel happened in the past day.
## No new connections over a tunnel happened in the amount of
## time indicated by :bro:see:`Tunnel::expiration_interval`.
EXPIRE,
};
@ -68,9 +69,14 @@ export {
## action: The specific reason for the tunnel ending.
global close: function(tunnel: Info, action: Action);
## The amount of time a tunnel is not used in establishment of new
## connections before it is considered inactive/expired.
const expiration_interval = 24hrs &redef;
## Currently active tunnels. That is, tunnels for which new, encapsulated
## connections have been seen in the last day.
global active: table[conn_id] of Info = table() &synchronized &read_expire=24hrs &expire_func=expire;
## connections have been seen in the interval indicated by
## :bro:see:`Tunnel::expiration_interval`.
global active: table[conn_id] of Info = table() &synchronized &read_expire=expiration_interval &expire_func=expire;
}
const ayiya_ports = { 5072/udp };
@ -129,9 +135,6 @@ event new_connection(c: connection) &priority=5
event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
if ( c?$tunnel )
register_all(c$tunnel);
register_all(e);
}

6
scripts/base/protocols/conn/main.bro
View file

@ -104,7 +104,7 @@ export {
## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections
## used over the lifetime of this inner connection.
parents: set[string] &log;
tunnel_parents: set[string] &log;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
@ -195,7 +195,7 @@ function set_conn(c: connection, eoc: bool)
c$conn$uid=c$uid;
c$conn$id=c$id;
if ( c?$tunnel && |c$tunnel| > 0 )
add c$conn$parents[c$tunnel[|c$tunnel|-1]$uid];
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 )
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
@ -238,7 +238,7 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
set_conn(c, F);
if ( |e| > 0 )
add c$conn$parents[e[|e|-1]$uid];
add c$conn$tunnel_parents[e[|e|-1]$uid];
c$tunnel = e;
}