mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 04:28:20 +00:00
72 lines
No EOL
1.6 KiB
Text
72 lines
No EOL
1.6 KiB
Text
##! Activates port-independent protocol detection.
|
|
|
|
@load functions
|
|
@load signatures
|
|
|
|
module DPD;
|
|
|
|
## Add the DPD signatures to the signature framework.
|
|
redef signature_files += "dpd/dpd.sig";
|
|
|
|
export {
|
|
redef enum Log::ID += { DPD };
|
|
|
|
type Info: record {
|
|
ts: time &log;
|
|
uid: string &log;
|
|
id: conn_id &log;
|
|
proto: transport_proto &log;
|
|
analyzer: string &log;
|
|
failure_reason: string &log;
|
|
};
|
|
}
|
|
|
|
redef record connection += {
|
|
dpd: Info &optional;
|
|
};
|
|
|
|
event bro_init()
|
|
{
|
|
Log::create_stream(DPD, [$columns=Info]);
|
|
|
|
for ( a in dpd_config )
|
|
{
|
|
for ( p in dpd_config[a]$ports )
|
|
{
|
|
if ( p !in dpd_analyzer_ports )
|
|
dpd_analyzer_ports[p] = set();
|
|
add dpd_analyzer_ports[p][a];
|
|
}
|
|
}
|
|
}
|
|
|
|
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
|
|
{
|
|
if ( fmt("-%s",analyzer_name(atype)) in c$service )
|
|
delete c$service[fmt("-%s", analyzer_name(atype))];
|
|
|
|
add c$service[analyzer_name(atype)];
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string) &priority=5
|
|
{
|
|
if ( analyzer_name(atype) in c$service )
|
|
delete c$service[analyzer_name(atype)];
|
|
add c$service[fmt("-%s", analyzer_name(atype))];
|
|
|
|
local info: Info;
|
|
info$ts=network_time();
|
|
info$uid=c$uid;
|
|
info$id=c$id;
|
|
info$proto=get_conn_transport_proto(c$id);
|
|
info$analyzer=analyzer_name(atype);
|
|
info$failure_reason=reason;
|
|
c$dpd = info;
|
|
}
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string) &priority=-5
|
|
{
|
|
Log::write(DPD, c$dpd);
|
|
} |