mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
104 lines
2.8 KiB
Text
104 lines
2.8 KiB
Text
##! Activates port-independent protocol detection and selectively disables
|
|
##! analyzers if protocol violations occur.
|
|
|
|
module DPD;
|
|
|
|
export {
|
|
## Add the DPD logging stream identifier.
|
|
redef enum Log::ID += { LOG };
|
|
|
|
## The record type defining the columns to log in the DPD logging stream.
|
|
type Info: record {
|
|
## Timestamp for when protocol analysis failed.
|
|
ts: time &log;
|
|
## Connection unique ID.
|
|
uid: string &log;
|
|
## Connection ID containing the 4-tuple which identifies endpoints.
|
|
id: conn_id &log;
|
|
## Transport protocol for the violation.
|
|
proto: transport_proto &log;
|
|
## The analyzer that generated the violation.
|
|
analyzer: string &log;
|
|
## The textual reason for the analysis failure.
|
|
failure_reason: string &log;
|
|
|
|
## Disabled analyzer IDs. This is only for internal tracking
|
|
## so as to not attempt to disable analyzers multiple times.
|
|
disabled_aids: set[count];
|
|
};
|
|
|
|
## Analyzers which you don't want to throw
|
|
const ignore_violations: set[Analyzer::Tag] = set() &redef;
|
|
|
|
## Ignore violations which go this many bytes into the connection.
|
|
## Set to 0 to never ignore protocol violations.
|
|
const ignore_violations_after = 10 * 1024 &redef;
|
|
}
|
|
|
|
redef record connection += {
|
|
dpd: Info &optional;
|
|
};
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]);
|
|
}
|
|
|
|
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
|
|
{
|
|
local analyzer = Analyzer::name(atype);
|
|
|
|
if ( fmt("-%s",analyzer) in c$service )
|
|
delete c$service[fmt("-%s", analyzer)];
|
|
|
|
add c$service[analyzer];
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
|
|
reason: string) &priority=10
|
|
{
|
|
local analyzer = Analyzer::name(atype);
|
|
# If the service hasn't been confirmed yet, don't generate a log message
|
|
# for the protocol violation.
|
|
if ( analyzer !in c$service )
|
|
return;
|
|
|
|
delete c$service[analyzer];
|
|
add c$service[fmt("-%s", analyzer)];
|
|
|
|
local info: Info;
|
|
info$ts=network_time();
|
|
info$uid=c$uid;
|
|
info$id=c$id;
|
|
info$proto=get_conn_transport_proto(c$id);
|
|
info$analyzer=analyzer;
|
|
info$failure_reason=reason;
|
|
c$dpd = info;
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
|
|
{
|
|
if ( !c?$dpd || aid in c$dpd$disabled_aids )
|
|
return;
|
|
|
|
local size = c$orig$size + c$resp$size;
|
|
if ( ignore_violations_after > 0 && size > ignore_violations_after )
|
|
return;
|
|
|
|
if ( atype in ignore_violations )
|
|
return;
|
|
|
|
# Disable the analyzer that raised the last core-generated event.
|
|
disable_analyzer(c$id, aid);
|
|
add c$dpd$disabled_aids[aid];
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
|
|
reason: string) &priority=-5
|
|
{
|
|
if ( c?$dpd )
|
|
{
|
|
Log::write(DPD::LOG, c$dpd);
|
|
delete c$dpd;
|
|
}
|
|
}
|