mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
597a4d6704
- policy/ renamed to scripts/ - By default BROPATH now contains: - scripts/ - scripts/policy - scripts/site - *Nearly* all tests pass. - All of scripts/base/ is loaded by main.cc - Can be disabled by setting $BRO_NO_BASE_SCRIPTS - Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script). - The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building. - The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead. - All "detection" activity happens through scripts in scripts/policy/. - Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1) - This is so the communications framework can be loaded as part of the base without causing trouble when it's not needed. - This will be removed once a resolution to ticket #540 is reached.
27 lines
877 B
Text
27 lines
877 B
Text
##! This script enables logging of packet segment data when a protocol
|
|
##! parsing violation is encountered. The amount of
|
|
##! data from the packet logged is set by the packet_segment_size variable.
|
|
##! A caveat to logging packet data is that in some cases, the packet may
|
|
##! not be the packet that actually caused the protocol violation.
|
|
|
|
module DPD;
|
|
|
|
export {
|
|
redef record Info += {
|
|
## A chunk of the payload the most likely resulted in the protocol
|
|
## violation.
|
|
packet_segment: string &optional &log;
|
|
};
|
|
|
|
## Size of the packet segment to display in the DPD log.
|
|
const packet_segment_size: int = 255 &redef;
|
|
}
|
|
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string) &priority=4
|
|
{
|
|
if ( ! c?$dpd ) return;
|
|
|
|
c$dpd$packet_segment=fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
|
|
}
|