mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Prevent large dhcp log entries
A flood of DHCP traffic can result if very large log entries consisting of many uids and/or msg_types. Such large log entries can disrupt a SIEM ingestion pipeline. This change forcing a log entry to be written when the number of uids or the number of msg_Types exceed a certain value. The values are treated as options for easy configuration.
This commit is contained in:
Peter Cullen
parent
d461033978
commit
fb4858d42b
6 changed files with 173 additions and 0 deletions
|
|
@ -91,6 +91,12 @@ export {
|
|||
## transaction narrative.
|
||||
option DHCP::max_txid_watch_time = 30secs;
|
||||
|
||||
## The maximum number of uids allowed in a single log entry.
|
||||
option DHCP::max_uids_per_log_entry = 10;
|
||||
|
||||
## The maximum number of msg_types allowed in a single log entry.
|
||||
option DHCP::max_msg_types_per_log_entry = 50;
|
||||
|
||||
## This event is used internally to distribute data around clusters
|
||||
## since DHCP doesn't follow the normal "connection" model used by
|
||||
## most protocols. It can also be handled to extend the DHCP log.
|
||||
|
|
@ -266,6 +272,13 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
|
|||
if ( options?$lease )
|
||||
log_info$lease_time = options$lease;
|
||||
}
|
||||
|
||||
# Write log entry if |uids| or |msg_types| becomes too large
|
||||
if ( |log_info$uids| >= max_uids_per_log_entry || |log_info$msg_types| >= max_msg_types_per_log_entry )
|
||||
{
|
||||
Log::write(LOG, log_info);
|
||||
delete join_data[msg$xid];
|
||||
}
|
||||
}
|
||||
@endif
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue