Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/scripts/policy/protocols/conn/failed-service-logging.zeek
Johanna Amann af77a7a83b Analyzer failure logging: tweaks and test fixes 
The main part of this commit are changes in tests. A lot of the tests
that previously relied on analyzer.log or dpd.log now use the new
analyzer-failed.log.

I verified all the changes and, as far as I can tell, everything
behaves as it should. This includes the external test baselines.

This change also enables logging of file and packet analyzer to
analyzer_failed.log and fixes some small behavior issues.

The analyzer_failed event is no longer raised when the removal of an
analyzer is vetoed.

If an analyzer is no longer active when an analyzer violation is raised,
currently the analyzer_failed event is raised. This can, e.g., happen
when an analyzer error happens at the very end of the connection. This
makes the behavior more similar to what happened in the past, and also
intuitively seems to make sense.

A bug introduced in the failed service logging was fixed.
2025-06-03 15:56:42 +01:00

44 lines
1.2 KiB
Text
Raw Blame History

##! This script adds the new column ``failed_service`` to the connection log.
##! The column contains the list of protocols in a connection that raised protocol
##! violations causing the analyzer to be removed. Protocols are listed in order
##! that they were removed.
@load base/protocols/conn
@load base/frameworks/analyzer/dpd
module Conn;
redef record Conn::Info += {
## List of analyzers in a connection that raised violations
## causing their removal.
## Analyzers are listed in order that they were removed.
failed_service: set[string] &log &optional &ordered;
};
event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c )
return;
local c = info$c;
# Only add if previously confirmed and not failed
local analyzer_name = Analyzer::name(atype);
if ( analyzer_name !in c$service || analyzer_name in c$service_violation )
return;
set_conn(c, F);
local aname = to_lower(Analyzer::name(atype));
# No duplicate logging
if ( c$conn?$failed_service && aname in c$conn$failed_service )
return;
if ( ! c$conn?$failed_service )
c$conn$failed_service = set();
add c$conn$failed_service[aname];
}
Reference in a new issue View git blame Copy permalink