Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Prevent large dhcp log entries

Browse source 
A flood of DHCP traffic can result if very large log entries consisting
of many uids and/or msg_types. Such large log entries can disrupt a SIEM
ingestion pipeline. This change forcing a log entry to be written when
the number of uids or the number of msg_Types exceed a certain value.
The values are treated as options for easy configuration.
This commit is contained in:
Peter Cullen 2022-07-28 11:34:18 -07:00
parent d461033978
commit fb4858d42b
6 changed files with 173 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
testing/btest/scripts/base/protocols/dhcp/dhcp-prevent-large-msgtypes.zeek Normal file
View file

@ -0,0 +1,7 @@
# This tests that DHCP log entries do not contain large numbers
# of msg_types.
# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_flood.pcap -e ' redef DHCP::max_uids_per_log_entry=500; redef DHCP::max_msg_types_per_log_entry=8;' %INPUT
# @TEST-EXEC: btest-diff dhcp.log
@load base/protocols/dhcp

7
testing/btest/scripts/base/protocols/dhcp/dhcp-prevent-large-uids.zeek Normal file
View file

@ -0,0 +1,7 @@
# This tests that DHCP log entries do not contain large numbers
# of uids.
# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_flood.pcap -e ' redef DHCP::max_uids_per_log_entry=5' %INPUT
# @TEST-EXEC: btest-diff dhcp.log
@load base/protocols/dhcp