mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
a1c5eddb95
- Add an extra "prevent" parameter (default value of false), which helps prevent the same analyzer type from being attached in the future. It's useful in situations where you want to disable early on, but a DPD signature may still trigger later and re-attach the same analyzer. E.g. when not using this flag, but calling disable_analyzer() inside an http_request event, will remove the HTTP analyzer that was attached due to well-known-port, but a later DPD signature match from upon seeing the HTTP reply will end up attaching another HTTP analyzer. More surprising is that upon re-attaching that analyzer, you'll get the same http_request as before since the DPD buffer will get replayed into the new analyzer. - Fixes disable_analyzer() to work when called even earlier, like within the protocol_confirmation event. At that time, the Analyzer tree may have not properly added the new analyzer into Analyzer::children yet, but rather the temporary waiting list, Analyzer::new_children. Analyzer::RemoveChildAnalyzer previously did not inspect the later list. - Fixes disable_analyzer() when called on an analyzer added to the tree via TCP_Analyzer::AddChildPacketAnalyzer. TCP_Analyzer keeps track of such children in its own list, TCP_Analyzer::packet_children, which the previous Analyzer::RemoveChildAnalyzer implementation didn't inspect.
16 lines
492 B
Text
16 lines
492 B
Text
# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
@load base/protocols/http
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
set_current_conn_packets_threshold(c$id, 1, T);
|
|
}
|
|
|
|
event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: bool)
|
|
{
|
|
print "triggered packets", c$id, threshold, is_orig;
|
|
set_current_conn_packets_threshold(c$id, threshold + 1, T);
|
|
print disable_analyzer(c$id, current_analyzer(), T);
|
|
}
|