mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
bc8fd5a4c6
Introduce two new events for analyzer confirmation and analyzer violation reporting. The current analyzer_confirmation and analyzer_violation events assume connection objects and analyzer ids are available which is not always the case. We're already passing aid=0 for packet analyzers and there's not currently a way to report violations from file analyzers using analyzer_violation, for example. These new events use an extensible Info record approach so that additional (optional) information can be added later without changing the signature. It would allow for per analyzer extensions to the info records to pass analyzer specific info to script land. It's not clear that this would be a good idea, however. The previous analyzer_confirmation and analyzer_violation events continue to exist, but are deprecated and will be removed with Zeek 6.1.
30 lines
970 B
Text
30 lines
970 B
Text
##! This script enables logging of packet segment data when a protocol
|
|
##! parsing violation is encountered. The amount of data from the
|
|
##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable.
|
|
##! A caveat to logging packet data is that in some cases, the packet may
|
|
##! not be the packet that actually caused the protocol violation.
|
|
|
|
module DPD;
|
|
|
|
export {
|
|
redef record Info += {
|
|
## A chunk of the payload that most likely resulted in the
|
|
## analyzer violation.
|
|
packet_segment: string &optional &log;
|
|
};
|
|
|
|
## Size of the packet segment to display in the DPD log.
|
|
option packet_segment_size: int = 255;
|
|
}
|
|
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=4
|
|
{
|
|
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
|
|
return;
|
|
|
|
if ( ! info?$c || ! info$c?$dpd )
|
|
return;
|
|
|
|
info$c$dpd$packet_segment = fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
|
|
}
|