mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
packet_analysis: Raise violations once (and don't raise confirmations after violations)
This is mostly to avoid per-packet violations for packet analyzers that have sessions attached to them.
This commit is contained in:
Arne Welzel
parent
700a9a4f37
commit
fdedc6b200
2 changed files with 14 additions and 0 deletions
|
|
@ -189,6 +189,10 @@ void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag
|
|||
if ( session->AnalyzerState(effective_tag) == session::AnalyzerConfirmationState::CONFIRMED )
|
||||
return;
|
||||
|
||||
// If this session violated previously, we don't allow through a confirmation.
|
||||
if ( session->AnalyzerState(effective_tag) == session::AnalyzerConfirmationState::VIOLATED )
|
||||
return;
|
||||
|
||||
session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::CONFIRMED);
|
||||
|
||||
if ( analyzer_confirmation_info )
|
||||
|
|
@ -238,6 +242,9 @@ void Analyzer::AnalyzerViolation(const char* reason, session::Session* session,
|
|||
{
|
||||
const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
|
||||
|
||||
if ( session->AnalyzerState(effective_tag) == session::AnalyzerConfirmationState::VIOLATED )
|
||||
return;
|
||||
|
||||
session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::VIOLATED);
|
||||
|
||||
if ( analyzer_violation_info )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue