Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/policy/functions.bro
Seth Hall 03044c329e Initial movement towards rewritten ftp.bro script. 
* All NOTICE functionality is currently removed.
* All "hot" functionality is removed.
2011-03-08 17:01:29 -05:00

96 lines
2.3 KiB
Text
Raw Blame History

@load site
@load logging
# Returns true if the given string is at least 25% composed of 8-bit
# characters.
function is_string_binary(s: string): bool
{
return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / |s| >= 25;
}
# Simple functions for generating ASCII connection identifiers.
############# BEGIN ID FORMATTING #############
function id_string(id: conn_id): string
{
return fmt("%s %d > %s %d",
id$orig_h, id$orig_p,
id$resp_h, id$resp_p);
}
function reverse_id_string(id: conn_id): string
{
return fmt("%s %d < %s %d",
id$orig_h, id$orig_p,
id$resp_h, id$resp_p);
}
function directed_id_string(id: conn_id, is_orig: bool): string
{
return is_orig ? id_string(id) : reverse_id_string(id);
}
############# END ID FORMATTING #############
############# BEGIN THRESHOLD CHECKING #############
type track_count: record {
n: count &default=0;
index: count &default=0;
};
function default_track_count(a: addr): track_count
{
local x: track_count;
return x;
}
const default_notice_thresholds: vector of count = {
30, 100, 1000, 10000, 100000, 1000000, 10000000,
} &redef;
# This is total rip off from scan.bro, but placed in the global namespace
# and slightly reworked to be easier to work with and more general.
function check_threshold(v: vector of count, tracker: track_count): bool
{
if ( tracker$index <= |v| && tracker$n >= v[tracker$index] )
{
++tracker$index;
return T;
}
return F;
}
function default_check_threshold(tracker: track_count): bool
{
return check_threshold(default_notice_thresholds, tracker);
}
############# END THRESHOLD CHECKING #############
# Some enums for deciding what and when to log.
type Directions_and_Hosts: enum {
Inbound, Outbound,
LocalHosts, RemoteHosts,
Enabled, Disabled
};
const DIRECTIONS = set(Inbound, Outbound, Enabled, Disabled);
const HOSTS = set(LocalHosts, RemoteHosts, Enabled, Disabled);
function id_matches_directions(id: conn_id, d: Directions_and_Hosts): bool
{
if ( d == Disabled ) return F;
return ( d == Enabled ||
(d == Outbound && is_local_addr(id$orig_h)) ||
(d == Inbound && is_local_addr(id$resp_h)) );
}
function addr_matches_hosts(ip: addr, h: Directions_and_Hosts): bool
{
if ( h == Disabled ) return F;
return ( h == Enabled ||
(h == LocalHosts && is_local_addr(ip)) ||
(h == RemoteHosts && !is_local_addr(ip)) );
}
Reference in a new issue View git blame Copy permalink