Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/policy/nfs.bro

100 lines
2.4 KiB
Text
Raw Permalink Blame History

# $Id: nfs.bro 4017 2007-02-28 07:11:54Z vern $
@load udp
module NFS;
export {
global log_file = open_log_file("nfs") &redef;
}
redef capture_filters += {
["nfs"] = "port 2049",
# NFS UDP packets are often fragmented.
["nfs-frag"] = "(ip[6:2] & 0x3fff != 0) and udp",
};
global nfs_ports = { 2049/tcp, 2049/udp } &redef;
redef dpd_config += { [ANALYZER_NFS] = [$ports = nfs_ports] };
# Maps opaque file handles to numbers for easier tracking.
global num_fhs = 0;
global fh_map: table[string] of count;
function map_fh(fh: string): string
{
if ( fh !in fh_map )
fh_map[fh] = ++num_fhs;
return cat("FH", fh_map[fh]);
}
function NFS_request(n: connection, req: string, addl: string)
{
print log_file, fmt("%.06f %s NFS %s: %s",
network_time(), id_string(n$id), req, addl);
}
function NFS_attempt(n: connection, req: string, status: count, addl: string)
{
print log_file, fmt("%.06f %s NFS attempt %s (%d): %s",
network_time(), id_string(n$id), req, status, addl);
}
event nfs_request_null(n: connection)
{
NFS_request(n, "null", "");
}
event nfs_attempt_null(n: connection, status: count)
{
NFS_attempt(n, "null", status, "");
}
event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
{
NFS_request(n, "getattr", fmt("%s -> %s", map_fh(fh), attrs));
}
event nfs_attempt_getattr(n: connection, status: count, fh: string)
{
NFS_attempt(n, "getattr", status, map_fh(fh));
}
function opt_attr_fmt(a: nfs3_opt_attrs): string
{
return a?$attrs ? fmt("%s", a$attrs) : "<missing>";
}
event nfs_request_lookup(n: connection, req: nfs3_lookup_args, rep: nfs3_lookup_reply)
{
NFS_request(n, "lookup", fmt("%s -> %s (file-attr: %s, dir-attr: %s)",
req, rep$fh,
opt_attr_fmt(rep$file_attr),
opt_attr_fmt(rep$dir_attr)));
}
event nfs_attempt_lookup(n: connection, status: count, req: nfs3_lookup_args)
{
NFS_attempt(n, "lookup", status, fmt("%s", req));
}
event nfs_request_fsstat(n: connection, root_fh: string, stat: nfs3_fsstat)
{
NFS_request(n, "fsstat", fmt("%s -> attr: %s, tbytes: %s, fbytes: %s, abytes: %s, tfiles: %s, ffiles: %s, afiles: %s, invarsec: %s",
map_fh(root_fh),
opt_attr_fmt(stat$attrs),
stat$tbytes, stat$fbytes, stat$abytes,
stat$tfiles, stat$ffiles, stat$afiles,
stat$invarsec));
}
event nfs_attempt_fsstat(n: connection, status: count, root_fh: string)
{
NFS_attempt(n, "fsstat", status, map_fh(root_fh));
}
Reference in a new issue View git blame Copy permalink