mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Fix type clash fatal error with log filters that use $ext_func and $include/$exclude
The logging manager's Manager::TraverseRecord(), called when adding a log filter to a stream, skipped any fields intoduced by a filter's $ext_func when such fields weren't mentioned in a $include restriction or mentioned in an $exclude restriction. This was inconsistent with Manager::RecordToFilterVals, used when actually writing log entries, which does include those values. The result was that the record indices descent in Manager::RecordToFilterVals expects to find only record values, when in fact only the record provided by ext_func is present. This leads to type mismatches and hard Zeek exits like this one: 1300475173.475401 fatal error in zeek/share/zeek//base/init-bare.zeek, line 4810: Val::CONVERTER (string/record) (zeek) The fix makes ext_func's field additions decisive, meaning the filter's include/exclude lists don't apply to it. If a user really wants to override this, they can reset the filter's ext_func back to our no-op default. The included btest produces the above error when the fix is not present.
This commit is contained in:
Christian Kreibich
parent
ee31673154
commit
f97a33e14d
4 changed files with 123 additions and 2 deletions
|
|
@ -487,7 +487,8 @@ bool Manager::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
|
|||
}
|
||||
|
||||
// If include fields are specified, only include if explicitly listed.
|
||||
if ( include )
|
||||
// Exception: extension fields provided by the filter's ext_func remain.
|
||||
if ( j >= num_ext_fields && include )
|
||||
{
|
||||
auto new_path_val = make_intrusive<StringVal>(new_path.c_str());
|
||||
bool result = (bool)include->FindOrDefault(new_path_val);
|
||||
|
|
@ -497,7 +498,8 @@ bool Manager::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
|
|||
}
|
||||
|
||||
// If exclude fields are specified, do not only include if listed.
|
||||
if ( exclude )
|
||||
// Here too, extension fields always remain.
|
||||
if ( j >= num_ext_fields && exclude )
|
||||
{
|
||||
auto new_path_val = make_intrusive<StringVal>(new_path.c_str());
|
||||
bool result = (bool)exclude->FindOrDefault(new_path_val);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,44 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn-exc
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields _write_ts _stream _system_name ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string string time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CiyBAq1bBLNaTiTAc 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CFSwNi4CNGxcuffo49 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
XXXXXXXXXX.XXXXXX conn-exc zeek XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn-inc
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields _write_ts _stream _system_name ts uid id.orig_h id.resp_h
|
||||
#types time string string time string addr addr
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 173.192.163.128 141.142.220.235
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 141.142.220.118 208.80.152.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 208.80.152.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 208.80.152.3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.118 208.80.152.118
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 141.142.2.2
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.44 224.0.0.251
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CiyBAq1bBLNaTiTAc 141.142.220.50 224.0.0.251
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CFSwNi4CNGxcuffo49 141.142.220.202 224.0.0.251
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.226 141.142.220.255
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 224.0.0.252
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 141.142.220.226 224.0.0.252
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.238 141.142.220.255
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::217:f2ff:fed7:cf65 ff02::fb
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 fe80::3074:17d5:2052:c324 ff02::1:3
|
||||
XXXXXXXXXX.XXXXXX conn-inc zeek XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 fe80::3074:17d5:2052:c324 ff02::1:3
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
# This tests the intersection of log filters with a custom extension
|
||||
# function that also use $include/$exclude: the extension function
|
||||
# overrides those restrictions.
|
||||
#
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn-inc.log
|
||||
# @TEST-EXEC: btest-diff conn-exc.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
||||
type Extension: record {
|
||||
write_ts: time &log;
|
||||
stream: string &log;
|
||||
system_name: string &log;
|
||||
};
|
||||
|
||||
function add_extension(path: string): Extension
|
||||
{
|
||||
return Extension($write_ts = network_time(),
|
||||
$stream = path,
|
||||
$system_name = peer_description);
|
||||
}
|
||||
|
||||
redef Log::default_ext_func = add_extension;
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Log::remove_default_filter(Conn::LOG);
|
||||
Log::add_filter(Conn::LOG, [$name="default-inc", $path="conn-inc", $include=set("ts", "uid", "id.orig_h", "id.resp_h")]);
|
||||
Log::add_filter(Conn::LOG, [$name="default-exc", $path="conn-exc", $exclude=set("_write_ts")]);
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue