mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/johanna/dpd-changes'
* origin/topic/johanna/dpd-changes: DPD: failed services logging alignment DPD: update test baselines; change options for external tests. DPD: change policy script for service violation logging; add NEWS DPD changes - small script fixes and renames. Update public and private test suite for DPD changes. Allow to track service violations in conn.log. Make conn.log service field ordered DPD: change handling of pre-confirmation violations, remove max_violations DPD: log analyzers that have confirmed IRC analyzer - make protocol confirmation more robust.
This commit is contained in:
Johanna Amann
commit
fc233fd8d0
82 changed files with 2456 additions and 2643 deletions
|
|
@ -26,14 +26,8 @@ export {
|
|||
failure_reason: string &log;
|
||||
};
|
||||
|
||||
## Ongoing DPD state tracking information.
|
||||
type State: record {
|
||||
## Current number of protocol violations seen per analyzer instance.
|
||||
violations: table[count] of count;
|
||||
};
|
||||
|
||||
## Number of protocol violations to tolerate before disabling an analyzer.
|
||||
option max_violations: table[Analyzer::Tag] of count = table() &default = 5;
|
||||
## Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
|
||||
option max_violations: table[Analyzer::Tag] of count = table() &deprecated="Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200" &default = 5;
|
||||
|
||||
## Analyzers which you don't want to throw
|
||||
option ignore_violations: set[Analyzer::Tag] = set();
|
||||
|
|
@ -41,14 +35,16 @@ export {
|
|||
## Ignore violations which go this many bytes into the connection.
|
||||
## Set to 0 to never ignore protocol violations.
|
||||
option ignore_violations_after = 10 * 1024;
|
||||
|
||||
## Add removed services to conn.log, with a - in front of them.
|
||||
option track_removed_services_in_connection = F;
|
||||
}
|
||||
|
||||
redef record connection += {
|
||||
dpd: Info &optional;
|
||||
dpd_state: State &optional;
|
||||
## The set of services (analyzers) for which Zeek has observed a
|
||||
## violation after the same service had previously been confirmed.
|
||||
service_violation: set[string] &default=set();
|
||||
service_violation: set[string] &default=set() &ordered;
|
||||
};
|
||||
|
||||
event zeek_init() &priority=5
|
||||
|
|
@ -79,12 +75,11 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
|
|||
|
||||
local c = info$c;
|
||||
local analyzer = Analyzer::name(atype);
|
||||
# If the service hasn't been confirmed yet, don't generate a log message
|
||||
# for the protocol violation.
|
||||
if ( analyzer !in c$service )
|
||||
# If the service hasn't been confirmed yet, or already failed,
|
||||
# don't generate a log message for the protocol violation.
|
||||
if ( analyzer !in c$service || analyzer in c$service_violation )
|
||||
return;
|
||||
|
||||
delete c$service[analyzer];
|
||||
add c$service_violation[analyzer];
|
||||
|
||||
local dpd: Info;
|
||||
|
|
@ -125,24 +120,16 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
|
|||
if ( ignore_violations_after > 0 && size > ignore_violations_after )
|
||||
return;
|
||||
|
||||
if ( ! c?$dpd_state )
|
||||
local disabled = disable_analyzer(c$id, aid, F);
|
||||
|
||||
# add "-service" to the list of services on removal due to violation, if analyzer was confirmed before
|
||||
if ( track_removed_services_in_connection && disabled && Analyzer::name(atype) in c$service )
|
||||
{
|
||||
local s: State;
|
||||
c$dpd_state = s;
|
||||
local rname = cat("-", Analyzer::name(atype));
|
||||
if ( rname !in c$service )
|
||||
add c$service[rname];
|
||||
}
|
||||
|
||||
if ( aid in c$dpd_state$violations )
|
||||
++c$dpd_state$violations[aid];
|
||||
else
|
||||
c$dpd_state$violations[aid] = 1;
|
||||
|
||||
if ( c?$dpd || c$dpd_state$violations[aid] > max_violations[atype] )
|
||||
{
|
||||
# Disable an analyzer we've previously confirmed, but is now in
|
||||
# violation, or else any analyzer in excess of the max allowed
|
||||
# violations, regardless of whether it was previously confirmed.
|
||||
disable_analyzer(c$id, aid, F);
|
||||
}
|
||||
}
|
||||
|
||||
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
|
||||
|
|
|
|||
|
|
@ -214,10 +214,5 @@ hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid:
|
|||
|
||||
populate_from_conn(rec, c);
|
||||
|
||||
if ( c?$dpd_state && aid in c$dpd_state$violations )
|
||||
{
|
||||
rec$failure_data = fmt("Disabled after %d violations", c$dpd_state$violations[aid]);
|
||||
}
|
||||
|
||||
Log::write(LOG, rec);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue