mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
31f60853c9
And switch Zeek's base scripts over to using it in place of "connection_state_remove". The difference between the two is that "connection_state_remove" is raised for all events while "successful_connection_remove" excludes TCP connections that were never established (just SYN packets). There can be performance benefits to this change for some use-cases. There's also a new event called ``connection_successful`` and a new ``connection`` record field named "successful" to help indicate this new property of connections.
36 lines
989 B
Text
36 lines
989 B
Text
##! This script adds information about matched DPD signatures to the connection
|
|
##! log.
|
|
|
|
@load base/protocols/conn
|
|
|
|
module Conn;
|
|
|
|
redef record Info += {
|
|
## Protocol that was determined by a matching signature after the beginning
|
|
## of a connection. In this situation no analyzer can be attached and hence
|
|
## the data cannot be analyzed nor the protocol can be confirmed.
|
|
speculative_service: string &log &optional;
|
|
};
|
|
|
|
redef record connection += {
|
|
speculative_service: set[string] &default=string_set();
|
|
};
|
|
|
|
redef dpd_match_only_beginning = F;
|
|
redef dpd_late_match_stop = T;
|
|
|
|
event protocol_late_match(c: connection, atype: Analyzer::Tag)
|
|
{
|
|
local analyzer = Analyzer::name(atype);
|
|
add c$speculative_service[analyzer];
|
|
}
|
|
|
|
event successful_connection_remove(c: connection)
|
|
{
|
|
local sp_service = "";
|
|
for ( s in c$speculative_service )
|
|
sp_service = sp_service == "" ? s : cat(sp_service, ",", s);
|
|
|
|
if ( sp_service != "" )
|
|
c$conn$speculative_service = to_lower(sp_service);
|
|
}
|