mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
53 lines
1.2 KiB
Text
53 lines
1.2 KiB
Text
# $Id: dyn-disable.bro,v 1.1.4.3 2006/05/31 01:52:02 sommer Exp $
|
|
#
|
|
# When this script is loaded, analyzers that raise protocol_violation events
|
|
# are disabled for the affected connection.
|
|
|
|
# Note that this a first-shot solution. Eventually, we should make the
|
|
# disable-decision more fine-grained/sophisticated.
|
|
|
|
@load conn
|
|
@load notice
|
|
|
|
module DynDisable;
|
|
|
|
export {
|
|
redef enum Notice += {
|
|
ProtocolViolation
|
|
};
|
|
|
|
# Ignore violations which go this many bytes into the connection.
|
|
const max_volume = 10 * 1024 &redef;
|
|
}
|
|
|
|
global conns: table[conn_id] of set[count];
|
|
|
|
event protocol_violation(c: connection, atype: count, aid: count,
|
|
reason: string)
|
|
{
|
|
if ( c$id in conns && aid in conns[c$id] )
|
|
return;
|
|
|
|
local size = c$orig$size + c$resp$size;
|
|
|
|
if ( max_volume > 0 && size > max_volume )
|
|
return;
|
|
|
|
# Disable the analyzer that raised the last core-generated event.
|
|
disable_analyzer(c$id, aid);
|
|
|
|
NOTICE([$note=ProtocolViolation, $conn=c,
|
|
$msg=fmt("%s analyzer %s disabled due to protocol violation",
|
|
id_string(c$id), analyzer_name(atype)),
|
|
$sub=reason, $n=atype]);
|
|
|
|
if ( c$id !in conns )
|
|
conns[c$id] = set();
|
|
|
|
add conns[c$id][aid];
|
|
}
|
|
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
delete conns[$id=c$id];
|
|
}
|