mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
be42608b51
- All timers are now handled by a single global timer manager, which simplifies how they handled by the IOSource manager. - This change flows down a number of changes to other parts of the code. The timer manager tag field is removed, which means that matching connections to a timer manager is also removed. This removes the ability to tag a connection as internal or external, since that's how the connections where differentiated. This in turn removes the `current_conns_extern` field from the `ConnStats` record type in the script layer.
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
##! This script handles core generated connection related "weird" events to
|
|
##! push weird information about connections into the weird framework.
|
|
##! For live operational deployments, this can frequently cause load issues
|
|
##! due to large numbers of these events and quite possibly shouldn't be
|
|
##! loaded.
|
|
|
|
@load base/frameworks/notice
|
|
|
|
module Conn;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## Possible evasion; usually just chud.
|
|
Retransmission_Inconsistency,
|
|
## Data has sequence hole; perhaps due to filtering.
|
|
Content_Gap,
|
|
};
|
|
}
|
|
|
|
event rexmit_inconsistency(c: connection, t1: string, t2: string, tcp_flags: string)
|
|
{
|
|
NOTICE([$note=Retransmission_Inconsistency,
|
|
$conn=c,
|
|
$msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]",
|
|
id_string(c$id), t1, t2, tcp_flags),
|
|
$identifier=fmt("%s", c$id)]);
|
|
}
|
|
|
|
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
|
|
{
|
|
NOTICE([$note=Content_Gap, $conn=c,
|
|
$msg=fmt("%s content gap (%s %d/%d)",
|
|
id_string(c$id), is_orig ? ">" : "<", seq, length)]);
|
|
}
|