mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 11:38:20 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
85 lines
3.5 KiB
ReStructuredText
85 lines
3.5 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/frameworks/analyzer/dpd.zeek
|
|
=================================
|
|
.. zeek:namespace:: DPD
|
|
|
|
Disables analyzers if protocol violations occur, and adds service information
|
|
to connection log.
|
|
|
|
:Namespace: DPD
|
|
:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
=========================================================================================== ===============================================================
|
|
:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef` Analyzers which you don't want to remove on violations.
|
|
:zeek:id:`DPD::ignore_violations_after`: :zeek:type:`count` :zeek:attr:`&redef` Ignore violations which go this many bytes into the connection.
|
|
:zeek:id:`DPD::track_removed_services_in_connection`: :zeek:type:`bool` :zeek:attr:`&redef` Change behavior of service field in conn.log:
|
|
Failed services are no longer removed.
|
|
=========================================================================================== ===============================================================
|
|
|
|
Redefinitions
|
|
#############
|
|
============================================ ==================================================================================================================
|
|
:zeek:type:`connection`: :zeek:type:`record`
|
|
|
|
:New Fields: :zeek:type:`connection`
|
|
|
|
failed_analyzers: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
|
|
The set of prototol analyzers that were removed due to a protocol
|
|
violation after the same analyzer had previously been confirmed.
|
|
============================================ ==================================================================================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: DPD::ignore_violations
|
|
:source-code: base/frameworks/analyzer/dpd.zeek 10 10
|
|
|
|
:Type: :zeek:type:`set` [:zeek:type:`Analyzer::Tag`]
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``{}``
|
|
:Redefinition: from :doc:`/scripts/base/protocols/dce-rpc/main.zeek`
|
|
|
|
``+=``::
|
|
|
|
Analyzer::ANALYZER_DCE_RPC
|
|
|
|
:Redefinition: from :doc:`/scripts/base/protocols/ntlm/main.zeek`
|
|
|
|
``+=``::
|
|
|
|
Analyzer::ANALYZER_NTLM
|
|
|
|
|
|
Analyzers which you don't want to remove on violations.
|
|
|
|
.. zeek:id:: DPD::ignore_violations_after
|
|
:source-code: base/frameworks/analyzer/dpd.zeek 14 14
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``10240``
|
|
|
|
Ignore violations which go this many bytes into the connection.
|
|
Set to 0 to never ignore protocol violations.
|
|
|
|
.. zeek:id:: DPD::track_removed_services_in_connection
|
|
:source-code: base/frameworks/analyzer/dpd.zeek 21 21
|
|
|
|
:Type: :zeek:type:`bool`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``F``
|
|
|
|
Change behavior of service field in conn.log:
|
|
Failed services are no longer removed. Instead, for a failed
|
|
service, a second entry with a "-" in front of it is added.
|
|
E.g. a http connection with a violation would be logged as
|
|
"http,-http".
|
|
|
|
|