Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/johanna/dpd-changes'

Browse source 
* origin/topic/johanna/dpd-changes:
  DPD: failed services logging alignment
  DPD: update test baselines; change options for external tests.
  DPD: change policy script for service violation logging; add NEWS
  DPD changes - small script fixes and renames.
  Update public and private test suite for DPD changes.
  Allow to track service violations in conn.log.
  Make conn.log service field ordered
  DPD: change handling of pre-confirmation violations, remove max_violations
  DPD: log analyzers that have confirmed
  IRC analyzer - make protocol confirmation more robust.
This commit is contained in:
Johanna Amann 2025-02-07 07:31:26 +00:00
commit fc233fd8d0
82 changed files with 2456 additions and 2643 deletions
Download patch file Download diff file Expand all files Collapse all files

46
scripts/policy/protocols/conn/failed-service-logging.zeek Normal file
View file

@ -0,0 +1,46 @@
##! This script adds the new column ``failed_service`` to the connection log.
##! The column contains the list of protocols in a connection that raised protocol
##! violations causing the analyzer to be removed. Protocols are listed in order
##! that they were removed.
@load base/protocols/conn
@load base/frameworks/analyzer/dpd
module Conn;
redef record Conn::Info += {
## List of analyzers in a connection that raised violations
## causing their removal.
## Analyzers are listed in order that they were removed.
failed_service: set[string] &log &optional &ordered;
};
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
# Only add if previously confirmed
if ( Analyzer::name(atype) !in c$service || Analyzer::name(atype) !in c$service_violation )
return;
# Only log if dpd.zeek will disable
if ( atype in DPD::ignore_violations )
return;
local size = c$orig$size + c$resp$size;
if ( DPD::ignore_violations_after > 0 && size > DPD::ignore_violations_after )
return;
set_conn(c, F);
local aname = to_lower(Analyzer::name(atype));
# No duplicate logging
if ( c$conn?$failed_service && aname in c$conn$failed_service )
return;
if ( ! c$conn?$failed_service )
c$conn$failed_service = set();
add c$conn$failed_service[aname];
}