mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
abb7f9a509
This hook can be used to coordinate disabling an analyzer for a given
connection. The contract is simple: Any script can veto a disable_analyzer()
call by breaking from this hook. The decision is local to the script taking
into account any state attached to the connection object or script specific
state stored elsewhere.
A script breaking from the hook takes over the responsibility to call
disable_analyzer() at a later point when it finds the condition due to which
it vetoed fulfilled (which may be never).
Signature:
disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);
Example use-cases are keeping the SSL analyzer enabled for finger-printing
until a certain amount of bytes or packets have been transferred or
similarly the connection duration exceed a certain threshold.
Other example use-cases might be keeping analyzers for SSH, RDP or SSL
enabled for connections from specific subnets.
It's a bit quirky as it makes disable_analyzer() a maybe operation. While log
policy hooks and/or the notice hook have similar semantics, they are not as
stateful. It still seems like a quite powerful primitive.
The disable_analyzer() call in dpd/main.zeek may motivate the addition of a
force flag as a follow-up for situations where the caller "knows better" or
absolutely wants to override.
Closes #1678 #1593.
|
||
|---|---|---|
| .. | ||
| basic.test | ||
| common_name.test | ||
| comp_methods.test | ||
| cve-2015-3194.test | ||
| dhe.test | ||
| dpd.test | ||
| dtls-no-dtls.test | ||
| dtls-stun-dpd.test | ||
| dtls.test | ||
| ecdhe.test | ||
| ecdsa.test | ||
| fragment.test | ||
| handshake-events.test | ||
| keyexchange.test | ||
| ocsp-http-get.test | ||
| ocsp-request-only.test | ||
| ocsp-request-response.test | ||
| ocsp-response-only.test | ||
| ocsp-revoked.test | ||
| ocsp-stapling.test | ||
| prevent-disable-analyzer.test | ||
| signed_certificate_timestamp.test | ||
| tls-1.2-ciphers.test | ||
| tls-1.2-handshake-failure.test | ||
| tls-1.2-random.test | ||
| tls-1.2.test | ||
| tls-extension-events.test | ||
| tls1_1.test | ||
| tls13-experiment.test | ||
| tls13-version.test | ||
| tls13.test | ||
| tls13_encrypted_handshake_events.test | ||
| x509-invalid-extension.test | ||
| x509_extensions.test | ||