mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
1bd658da8f
This adds a "policy" hook into the logging framework's streams and
filters to replace the existing log filter predicates. The hook
signature is as follows:
hook(rec: any, id: Log::ID, filter: Log::Filter);
The logging manager invokes hooks on each log record. Hooks can veto
log records via a break, and modify them if necessary. Log filters
inherit the stream-level hook, but can override or remove the hook as
needed.
The distribution's existing log streams now come with pre-defined
hooks that users can add handlers to. Their name is standardized as
"log_policy" by convention, with additional suffixes when a module
provides multiple streams. The following adds a handler to the Conn
module's default log policy hook:
hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
{
if ( some_veto_reason(rec) )
break;
}
By default, this handler will get invoked for any log filter
associated with the Conn::LOG stream.
The existing predicates are deprecated for removal in 4.1 but continue
to work.
60 lines
1.7 KiB
Text
60 lines
1.7 KiB
Text
##! Script for tracking known Modbus masters and slaves.
|
|
##!
|
|
##! .. todo:: This script needs a lot of work. What might be more interesting
|
|
##! is to track master/slave relationships based on commands sent and
|
|
##! successful (non-exception) responses.
|
|
|
|
@load base/protocols/modbus
|
|
|
|
module Known;
|
|
|
|
export {
|
|
redef enum Log::ID += { MODBUS_LOG };
|
|
|
|
global log_policy_modbus: Log::PolicyHook;
|
|
|
|
type ModbusDeviceType: enum {
|
|
MODBUS_MASTER,
|
|
MODBUS_SLAVE,
|
|
};
|
|
|
|
type ModbusInfo: record {
|
|
## The time the device was discovered.
|
|
ts: time &log;
|
|
## The IP address of the host.
|
|
host: addr &log;
|
|
## The type of device being tracked.
|
|
device_type: ModbusDeviceType &log;
|
|
};
|
|
|
|
## The Modbus nodes being tracked.
|
|
global modbus_nodes: set[addr, ModbusDeviceType] &create_expire=1day &redef;
|
|
|
|
## Event that can be handled to access the loggable record as it is sent
|
|
## on to the logging framework.
|
|
global log_known_modbus: event(rec: ModbusInfo);
|
|
}
|
|
|
|
event zeek_init() &priority=5
|
|
{
|
|
Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus]);
|
|
}
|
|
|
|
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
|
|
{
|
|
local master = c$id$orig_h;
|
|
local slave = c$id$resp_h;
|
|
|
|
if ( [master, MODBUS_MASTER] !in modbus_nodes )
|
|
{
|
|
add modbus_nodes[master, MODBUS_MASTER];
|
|
Log::write(MODBUS_LOG, [$ts=network_time(), $host=master, $device_type=MODBUS_MASTER]);
|
|
}
|
|
|
|
if ( [slave, MODBUS_SLAVE] !in modbus_nodes )
|
|
{
|
|
add modbus_nodes[slave, MODBUS_SLAVE];
|
|
Log::write(MODBUS_LOG, [$ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE]);
|
|
}
|
|
|
|
}
|