mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
abb7f9a509
This hook can be used to coordinate disabling an analyzer for a given
connection. The contract is simple: Any script can veto a disable_analyzer()
call by breaking from this hook. The decision is local to the script taking
into account any state attached to the connection object or script specific
state stored elsewhere.
A script breaking from the hook takes over the responsibility to call
disable_analyzer() at a later point when it finds the condition due to which
it vetoed fulfilled (which may be never).
Signature:
disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);
Example use-cases are keeping the SSL analyzer enabled for finger-printing
until a certain amount of bytes or packets have been transferred or
similarly the connection duration exceed a certain threshold.
Other example use-cases might be keeping analyzers for SSH, RDP or SSL
enabled for connections from specific subnets.
It's a bit quirky as it makes disable_analyzer() a maybe operation. While log
policy hooks and/or the notice hook have similar semantics, they are not as
stateful. It still seems like a quite powerful primitive.
The disable_analyzer() call in dpd/main.zeek may motivate the addition of a
force flag as a follow-up for situations where the caller "knows better" or
absolutely wants to override.
Closes #1678 #1593.
45 lines
1.2 KiB
Text
45 lines
1.2 KiB
Text
# @TEST-DOC: Disable the analyzer if 5 or more messages have been seen on a connection.
|
|
# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
@load base/protocols/http
|
|
|
|
global msg_count: table[conn_id] of count &default=0;
|
|
|
|
event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
|
|
{
|
|
if ( atype != Analyzer::ANALYZER_HTTP )
|
|
return;
|
|
|
|
print "proto confirm", atype;
|
|
}
|
|
|
|
# Prevent disabling all analyzers.
|
|
hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
|
|
{
|
|
if ( msg_count[c$id] < 4 )
|
|
{
|
|
print "preventing disable_analyzer", c$id, atype, aid, msg_count[c$id];
|
|
break;
|
|
}
|
|
|
|
print "allowing disable_analyzer", c$id, atype, aid, msg_count[c$id];
|
|
}
|
|
|
|
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
|
|
{
|
|
++msg_count[c$id];
|
|
print "http_request", method, original_URI;
|
|
print disable_analyzer(c$id, current_analyzer(), T, T);
|
|
}
|
|
|
|
event http_reply(c: connection, version: string, code: count, reason: string)
|
|
{
|
|
++msg_count[c$id];
|
|
print "http_reply", code;
|
|
}
|
|
|
|
event zeek_done()
|
|
{
|
|
print "total http messages", msg_count;
|
|
}
|