file_analysis/Analyzer: Limit maximum number of violations

Just the same as for protocol analyzers, prevent from violation event overload.
2025-10-04 15:48:19 +00:00 · 2022-10-17 10:23:01 +02:00 · 2022-10-17 10:23:01 +02:00 · fa956efa79
commit fa956efa79
parent e688bfcf73
7 changed files with 58 additions and 5 deletions
--- a/src/file_analysis/Analyzer.cc
+++ b/src/file_analysis/Analyzer.cc
@ -7,8 +7,8 @@
 #include "zeek/file_analysis/File.h"
 #include "zeek/file_analysis/Manager.h"

-// For analyzer_violation_info
-#include "event.bif.netvar_h"
+#include "const.bif.netvar_h" // for max_analyzer_violations
+#include "event.bif.netvar_h" // for analyzer_violation_info

 namespace zeek::file_analysis
 	{
@ -38,6 +38,12 @@ Analyzer::Analyzer(RecordValPtr arg_args, File* arg_file)
 	{
 	}

+const char* Analyzer::GetAnalyzerName() const
+	{
+	assert(tag);
+	return file_mgr->GetComponentName(tag).c_str();
+	}
+
 void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
 	{
 	if ( analyzer_confirmed )
@ -60,6 +66,16 @@ void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)

 void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len, zeek::Tag arg_tag)
 	{
+	++analyzer_violations;
+
+	if ( analyzer_violations > BifConst::max_analyzer_violations )
+		{
+		if ( analyzer_violations == BifConst::max_analyzer_violations + 1 )
+			Weird("too_many_analyzer_violations");
+
+		return;
+		}
+
 	if ( ! analyzer_violation_info )
 		return;

@ -78,4 +94,9 @@ void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len,
 	event_mgr.Enqueue(analyzer_violation_info, tval, info);
 	}

+void Analyzer::Weird(const char* name, const char* addl)
+	{
+	zeek::reporter->Weird(GetFile(), name, addl, GetAnalyzerName());
+	}
+
 	} // namespace zeek::file_analysis