mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
42 lines
1 KiB
Text
42 lines
1 KiB
Text
##! When this script is loaded, analyzers that raise protocol_violation events
|
|
##! are disabled for the affected connection.
|
|
|
|
@load dpd/base
|
|
@load notice
|
|
|
|
module DPD;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
ProtocolViolation
|
|
};
|
|
|
|
redef record DPD::Info += {
|
|
## Disabled analyzer IDs.
|
|
# TODO: This is waiting on ticket #460 to remove the '0'.
|
|
disabled_aids: set[count] &default=set(0);
|
|
};
|
|
|
|
## Ignore violations which go this many bytes into the connection.
|
|
const max_data_volume = 10 * 1024 &redef;
|
|
}
|
|
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string) &priority=5
|
|
{
|
|
if ( aid in c$dpd$disabled_aids )
|
|
return;
|
|
|
|
local size = c$orig$size + c$resp$size;
|
|
if ( max_data_volume > 0 && size > max_data_volume )
|
|
return;
|
|
|
|
# Disable the analyzer that raised the last core-generated event.
|
|
disable_analyzer(c$id, aid);
|
|
add c$dpd$disabled_aids[aid];
|
|
|
|
NOTICE([$note=ProtocolViolation, $conn=c,
|
|
$msg=fmt("%s disabled due to protocol violation", analyzer_name(atype)),
|
|
$sub=reason, $n=atype]);
|
|
}
|