mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
68aead024a
It relies on the heuristics of GridFTP data channels commonly default to SSL mutual authentication with a NULL bulk cipher and that they usually transfer large datasets (default threshold of script is 1 GB). The script also defaults to skip_further_processing() after detection to try to save cycles analyzing the large, benign connection. Also added a script in base/protocols/conn/polling that generalizes the process of polling a connection for interesting features. The GridFTP data channel detection script depends on it to monitor bytes transferred.
51 lines
1.7 KiB
Text
51 lines
1.7 KiB
Text
##! Implements a generic way to poll connections looking for certain features
|
|
##! (e.g. monitor bytes transferred). The specific feature of a connection
|
|
##! to look for, the polling interval, and the code to execute if the feature
|
|
##! is found are all controlled by user-defined callback functions.
|
|
|
|
module ConnPolling;
|
|
|
|
export {
|
|
## Starts monitoring a given connection.
|
|
##
|
|
## c: The connection to watch.
|
|
##
|
|
## callback: A callback function that takes as arguments the monitored
|
|
## *connection*, and counter *cnt* that increments each time the
|
|
## callback is called. It returns an interval indicating how long
|
|
## in the future to schedule an event which will call the
|
|
## callback. A negative return interval causes polling to stop.
|
|
##
|
|
## cnt: The initial value of a counter which gets passed to *callback*.
|
|
##
|
|
## i: The initial interval at which to schedule the next callback.
|
|
## May be ``0secs`` to poll right away.
|
|
global watch: function(
|
|
c: connection,
|
|
callback: function(c: connection, cnt: count): interval,
|
|
cnt: count,
|
|
i: interval);
|
|
}
|
|
|
|
event ConnPolling::check(
|
|
c: connection,
|
|
callback: function(c: connection, cnt: count): interval,
|
|
cnt: count)
|
|
{
|
|
if ( ! connection_exists(c$id) ) return;
|
|
|
|
lookup_connection(c$id); # updates the conn val
|
|
|
|
local next_interval = callback(c, cnt);
|
|
if ( next_interval < 0secs ) return;
|
|
watch(c, callback, cnt + 1, next_interval);
|
|
}
|
|
|
|
function watch(
|
|
c: connection,
|
|
callback: function(c: connection, cnt: count): interval,
|
|
cnt: count,
|
|
i: interval)
|
|
{
|
|
schedule i { ConnPolling::check(c, callback, cnt) };
|
|
}
|