zeek/testing/btest/Baseline/scripts.base.protocols.ssl.prevent-disable-analyzer at 04a1ead97865af62d93bc0e3e605279867509cd1 - Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00

History

Arne Welzel abb7f9a509 Introduce global disabling_analyzer() hook to veto disable_analyzer() This hook can be used to coordinate disabling an analyzer for a given connection. The contract is simple: Any script can veto a disable_analyzer() call by breaking from this hook. The decision is local to the script taking into account any state attached to the connection object or script specific state stored elsewhere. A script breaking from the hook takes over the responsibility to call disable_analyzer() at a later point when it finds the condition due to which it vetoed fulfilled (which may be never). Signature: disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count); Example use-cases are keeping the SSL analyzer enabled for finger-printing until a certain amount of bytes or packets have been transferred or similarly the connection duration exceed a certain threshold. Other example use-cases might be keeping analyzers for SSH, RDP or SSL enabled for connections from specific subnets. It's a bit quirky as it makes disable_analyzer() a maybe operation. While log policy hooks and/or the notice hook have similar semantics, they are not as stateful. It still seems like a quite powerful primitive. The disable_analyzer() call in dpd/main.zeek may motivate the addition of a force flag as a follow-up for situations where the caller "knows better" or absolutely wants to override. Closes #1678 #1593.	2022-08-11 09:40:36 +02:00
..
.stdout	Introduce global disabling_analyzer() hook to veto disable_analyzer()	2022-08-11 09:40:36 +02:00

Arne Welzel abb7f9a509 Introduce global disabling_analyzer() hook to veto disable_analyzer()

This hook can be used to coordinate disabling an analyzer for a given
connection. The contract is simple: Any script can veto a disable_analyzer()
call by breaking from this hook. The decision is local to the script taking
into account any state attached to the connection object or script specific
state stored elsewhere.
A script breaking from the hook takes over the responsibility to call
disable_analyzer() at a later point when it finds the condition due to which
it vetoed fulfilled (which may be never).

Signature:

    disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);

Example use-cases are keeping the SSL analyzer enabled for finger-printing
until a certain amount of bytes or packets have been transferred or
similarly the connection duration exceed a certain threshold.

Other example use-cases might be keeping analyzers for SSH, RDP or SSL
enabled for connections from specific subnets.

It's a bit quirky as it makes disable_analyzer() a maybe operation. While log
policy hooks and/or the notice hook have similar semantics, they are not as
stateful. It still seems like a quite powerful primitive.

The disable_analyzer() call in dpd/main.zeek may motivate the addition of a
force flag as a follow-up for situations where the caller "knows better" or
absolutely wants to override.

Closes #1678 #1593.

2022-08-11 09:40:36 +02:00

.stdout

Introduce global disabling_analyzer() hook to veto disable_analyzer()

2022-08-11 09:40:36 +02:00