mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
34956f4ca4
Remove overhead of unconditionally calling remove_teredo_connection() for *every* connection by installing a connection removal hook for only when state was allocated.
39 lines
1.2 KiB
Text
39 lines
1.2 KiB
Text
module PacketAnalyzer::TEREDO;
|
|
|
|
# This needs to be loaded here so the functions are available. Function BIFs normally aren't
|
|
# loaded until after the packet analysis init scripts are run, and then zeek complains it
|
|
# can't find the function.
|
|
@load base/bif/plugins/Zeek_Teredo.events.bif.zeek
|
|
@load base/bif/plugins/Zeek_Teredo.functions.bif
|
|
|
|
# Needed for port registration for BPF
|
|
@load base/frameworks/analyzer/main
|
|
|
|
# Needed to register Conn::RemovalHook
|
|
@load base/protocols/conn/removal-hooks
|
|
|
|
export {
|
|
## Default analyzer
|
|
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
|
|
}
|
|
|
|
const teredo_ports = { 3544/udp };
|
|
redef likely_server_ports += { teredo_ports };
|
|
|
|
event zeek_init() &priority=20
|
|
{
|
|
PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO);
|
|
PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, teredo_ports);
|
|
}
|
|
|
|
# The analyzer keeps state about each Teredo connection in the
|
|
# orig_resp_map. Register cleanup.
|
|
hook finalize_teredo(c: connection)
|
|
{
|
|
remove_teredo_connection(c$id);
|
|
}
|
|
|
|
event new_teredo_state(c: connection)
|
|
{
|
|
Conn::register_removal_hook(c, finalize_teredo);
|
|
}
|