mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
58613f0313
This field is used internally to trace which analyzers already had a violation. This is mostly used to prevent duplicate logging. In the past, c$service_violation was used for a similar purpose - however it has slightly different semantics. Where c$failed_analyzers tracks analyzers that were removed due to a violation, c$service_violation tracks violations - and doesn't care if an analyzer was actually removed due to it.
44 lines
1.2 KiB
Text
44 lines
1.2 KiB
Text
##! This script adds the new column ``failed_service`` to the connection log.
|
|
##! The column contains the list of protocols in a connection that raised protocol
|
|
##! violations causing the analyzer to be removed. Protocols are listed in order
|
|
##! that they were removed.
|
|
|
|
@load base/protocols/conn
|
|
@load base/frameworks/analyzer/dpd
|
|
|
|
module Conn;
|
|
|
|
redef record Conn::Info += {
|
|
## List of analyzers in a connection that raised violations
|
|
## causing their removal.
|
|
## Analyzers are listed in order that they were removed.
|
|
failed_service: set[string] &log &optional &ordered;
|
|
};
|
|
|
|
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
|
{
|
|
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
|
|
return;
|
|
|
|
if ( ! info?$c )
|
|
return;
|
|
|
|
local c = info$c;
|
|
|
|
# Only add if previously confirmed and not failed
|
|
local analyzer_name = Analyzer::name(atype);
|
|
if ( analyzer_name !in c$service || analyzer_name in c$failed_analyzers )
|
|
return;
|
|
|
|
set_conn(c, F);
|
|
|
|
local aname = to_lower(Analyzer::name(atype));
|
|
# No duplicate logging
|
|
if ( c$conn?$failed_service && aname in c$conn$failed_service )
|
|
return;
|
|
|
|
if ( ! c$conn?$failed_service )
|
|
c$conn$failed_service = set();
|
|
|
|
add c$conn$failed_service[aname];
|
|
}
|