mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
c72c1cba6f
This commit revamps the handling of analyzer violations that happen
before an analyzer confirms the protocol.
The current state is that an analyzer is disabled after 5 violations, if
it has not been confirmed. If it has been confirmed, it is disabled
after a single violation.
The reason for this is a historic mistake. In Zeek up to versions 1.5,
analyzers were unconditianally removed when they raised the first
protocol violation.
When this script was ported to the new layout for Zeek 2.0 in
b4b990cfb5, a logic error was introduced
that caused analyzers to no longer be disabled if they were not
confirmed.
This was the state for ~8 years, till the DPD::max_violations options
was added, which instates the current approach of disabling unconfirmed
analyzers after 5 violations. Sadly, there is not much discussion about
this change - from my hazy memory, I think this was discovered during
performance tests and the new behavior was added without checking into
the history of previous changes.
This commit reinstates the originally intended behavior of DPD. When an
analyzer that has not been confirmed raises a protocol violation, it is
immediately removed from the connection. This also makes a lot of sense
- this allows the analyzer to be in a "tasting" phase at the beginning
of the connection, and to error out quickly once it realizes that it was
attached to a connection not containing the desired protocol.
This change also removes the DPD::max_violations option, as it no longer
serves any purpose after this change. (In practice, the option remains
with an &deprecated warning, but it is no longer used for anything).
There are relatively minimal test-baseline changes due to this; they are
mostly triggered by the removal of the data structure and by less
analyzer errors being thrown, as unconfirmed analyzers are disabled
after the first error.
54 lines
1.5 KiB
Text
54 lines
1.5 KiB
Text
# Verifies analyzer ID retrieval from a connection.
|
|
#
|
|
# Not compatible with -O gen-C++ due to use of multiple scripts.
|
|
# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
|
|
#
|
|
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT >output
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
# This first test should trigger one analyzer violation, since the given pcap
|
|
# has non-HTTP content on port 80. The analyzer will be disabled after the first
|
|
# violation (missing request line).
|
|
|
|
@load base/protocols/http
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
|
{
|
|
print atype;
|
|
}
|
|
|
|
# @TEST-START-NEXT
|
|
|
|
# This one should not trigger violations since we suppress HTTP analysis when
|
|
# the TCP connection establishes.
|
|
|
|
@load base/protocols/http
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
|
{
|
|
print atype;
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
local aid = lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP);
|
|
if ( aid > 0 )
|
|
disable_analyzer(c$id, aid, T, T);
|
|
}
|
|
|
|
# @TEST-START-NEXT
|
|
|
|
# This one validates the return values of analyzer ID lookup calls for valid &
|
|
# invalid connection IDs and analyzers.
|
|
|
|
@load base/protocols/http
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
assert lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP) != 0;
|
|
|
|
local wrong_cid = copy(c$id);
|
|
wrong_cid$orig_h = 1.2.3.4;
|
|
|
|
assert lookup_connection_analyzer_id(wrong_cid, Analyzer::ANALYZER_HTTP) == 0;
|
|
}
|