mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
file_analysis/Analyzer: Limit maximum number of violations
Just the same as for protocol analyzers, prevent from violation event overload.
This commit is contained in:
Arne Welzel
Tim Wojtulewicz
parent
e688bfcf73
commit
fa956efa79
7 changed files with 58 additions and 5 deletions
|
|
@ -7,8 +7,8 @@
|
|||
#include "zeek/file_analysis/File.h"
|
||||
#include "zeek/file_analysis/Manager.h"
|
||||
|
||||
// For analyzer_violation_info
|
||||
#include "event.bif.netvar_h"
|
||||
#include "const.bif.netvar_h" // for max_analyzer_violations
|
||||
#include "event.bif.netvar_h" // for analyzer_violation_info
|
||||
|
||||
namespace zeek::file_analysis
|
||||
{
|
||||
|
|
@ -38,6 +38,12 @@ Analyzer::Analyzer(RecordValPtr arg_args, File* arg_file)
|
|||
{
|
||||
}
|
||||
|
||||
const char* Analyzer::GetAnalyzerName() const
|
||||
{
|
||||
assert(tag);
|
||||
return file_mgr->GetComponentName(tag).c_str();
|
||||
}
|
||||
|
||||
void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
|
||||
{
|
||||
if ( analyzer_confirmed )
|
||||
|
|
@ -60,6 +66,16 @@ void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
|
|||
|
||||
void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len, zeek::Tag arg_tag)
|
||||
{
|
||||
++analyzer_violations;
|
||||
|
||||
if ( analyzer_violations > BifConst::max_analyzer_violations )
|
||||
{
|
||||
if ( analyzer_violations == BifConst::max_analyzer_violations + 1 )
|
||||
Weird("too_many_analyzer_violations");
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! analyzer_violation_info )
|
||||
return;
|
||||
|
||||
|
|
@ -78,4 +94,9 @@ void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len,
|
|||
event_mgr.Enqueue(analyzer_violation_info, tval, info);
|
||||
}
|
||||
|
||||
void Analyzer::Weird(const char* name, const char* addl)
|
||||
{
|
||||
zeek::reporter->Weird(GetFile(), name, addl, GetAnalyzerName());
|
||||
}
|
||||
|
||||
} // namespace zeek::file_analysis
|
||||
|
|
|
|||
|
|
@ -83,6 +83,11 @@ public:
|
|||
*/
|
||||
zeek::Tag Tag() const { return tag; }
|
||||
|
||||
/**
|
||||
* @return the name of the analyzer.
|
||||
*/
|
||||
const char* GetAnalyzerName() const;
|
||||
|
||||
/**
|
||||
* Returns the analyzer instance's internal ID. These IDs are unique
|
||||
* across all analyzers instantiated and can thus be used to
|
||||
|
|
@ -165,6 +170,12 @@ public:
|
|||
virtual void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0,
|
||||
zeek::Tag tag = zeek::Tag());
|
||||
|
||||
/**
|
||||
* Convenience function that forwards directly to the corresponding
|
||||
* reporter->Weird(file, ...).
|
||||
*/
|
||||
void Weird(const char* name, const char* addl = "");
|
||||
|
||||
protected:
|
||||
/**
|
||||
* Constructor. Only derived classes are meant to be instantiated.
|
||||
|
|
@ -195,6 +206,8 @@ private:
|
|||
bool skip;
|
||||
bool analyzer_confirmed;
|
||||
|
||||
uint64_t analyzer_violations = 0;
|
||||
|
||||
static ID id_counter;
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue