Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/topic/timw/1221-unknown-protocols'
* origin/topic/timw/1221-unknown-protocols: GH-1221: Add unknown_protocols.log for logging packet analyzer lookup failures Remove default_analyzer for Ethernet packet analzyer
- Loading branch information
Showing
22 changed files
with
229 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
3.3.0-dev.506 | ||
3.3.0-dev.509 |
Submodule doc
updated
6 files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
##! This script logs information about packet protocols that Zeek doesn't | ||
##! know how to process. Mostly these come from packet analysis plugins when | ||
##! they attempt to forward to the next analyzer, but they also can originate | ||
##! from non-packet analyzers. | ||
|
||
@load base/frameworks/notice | ||
|
||
module UnknownProtocol; | ||
|
||
export { | ||
redef enum Log::ID += { LOG }; | ||
|
||
global log_policy: Log::PolicyHook; | ||
|
||
type Info: record { | ||
## Timestamp for when the measurement occurred. | ||
ts: time &log; | ||
|
||
## The string name of the analyzer attempting to forward the protocol. | ||
analyzer: string &log; | ||
|
||
## The identifier of the protocol being forwarded. | ||
protocol_id: string &log; | ||
|
||
## A certain number of bytes at the start of the unknown protocol's | ||
## header. | ||
first_bytes: string &log; | ||
}; | ||
|
||
## How many reports for an analyzer/protocol pair will be allowed to | ||
## raise events before becoming rate-limited. | ||
const sampling_threshold : count = 3 &redef; | ||
|
||
## The rate-limiting sampling rate. One out of every of this number of | ||
## rate-limited pairs of a given type will be allowed to raise events | ||
## for further script-layer handling. Setting the sampling rate to 0 | ||
## will disable all output of rate-limited pairs. | ||
const sampling_rate : count = 100000 &redef; | ||
|
||
## How long an analyzer/protocol pair is allowed to keep state/counters in | ||
## in memory. Once the threshold has been hit, this is the amount of time | ||
## before the rate-limiting for a pair expires and is reset. | ||
const sampling_duration = 1hr &redef; | ||
|
||
## The number of bytes to extract from the next header and log in the | ||
## first bytes field. | ||
const first_bytes_count = 10 &redef; | ||
} | ||
|
||
event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string) | ||
{ | ||
local info : Info; | ||
info$ts = network_time(); | ||
info$analyzer = analyzer_name; | ||
info$protocol_id = fmt("0x%x", protocol); | ||
info$first_bytes = bytestring_to_hexstr(first_bytes); | ||
|
||
Log::write(LOG, info); | ||
} | ||
|
||
event zeek_init() &priority=5 | ||
{ | ||
Log::create_stream(LOG, [$columns=Info, $path="unknown_protocols", $policy=log_policy]); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
testing/btest/Baseline/core.disable-mobile-ipv6/unknown_protocols.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. | ||
#separator \x09 | ||
#set_separator , | ||
#empty_field (empty) | ||
#unset_field - | ||
#path unknown_protocols | ||
#open XXXX-XX-XX-XX-XX-XX | ||
#fields ts analyzer protocol_id first_bytes | ||
#types time string string string | ||
XXXXXXXXXX.XXXXXX IP 0x87 3b010600d1da0080002a | ||
#close XXXX-XX-XX-XX-XX-XX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 7 additions & 16 deletions
23
testing/btest/Baseline/plugins.packet-protocol/output_orig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,11 @@ | ||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. | ||
#separator \x09 | ||
#set_separator , | ||
#empty_field (empty) | ||
#unset_field - | ||
#path conn | ||
#open 2020-10-14-18-47-28 | ||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | ||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] | ||
1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 - | ||
#close 2020-10-14-18-47-28 | ||
#separator \x09 | ||
#set_separator , | ||
#empty_field (empty) | ||
#unset_field - | ||
#path weird | ||
#open 2020-10-14-18-47-28 | ||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer | ||
#types time string addr port addr port string string bool string | ||
1599068759.647566 - 108.97.116.105 0 110.103.32.73 0 truncated_IPv6 - F zeek | ||
#close 2020-10-14-18-47-28 | ||
#path unknown_protocols | ||
#open XXXX-XX-XX-XX-XX-XX | ||
#fields ts analyzer protocol_id first_bytes | ||
#types time string string string | ||
XXXXXXXXXX.XXXXXX ETHERNET 0x88b5 4920616d20656e636170 | ||
#close XXXX-XX-XX-XX-XX-XX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,13 @@ | ||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. | ||
raw_layer_message (Message = 'I am encapsulating IP', Protocol = 4950) | ||
#separator \x09 | ||
#set_separator , | ||
#empty_field (empty) | ||
#unset_field - | ||
#path conn | ||
#open 2020-10-14-18-47-51 | ||
#open XXXX-XX-XX-XX-XX-XX | ||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | ||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] | ||
1599068759.647566 ClEkJM2Vm5giqnMf4h 172.22.214.60 8 192.0.78.150 0 icmp - - - - OTH - - 0 - 1 28 0 0 - | ||
1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 - | ||
#close 2020-10-14-18-47-51 | ||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.22.214.60 8 192.0.78.150 0 icmp - - - - OTH - - 0 - 1 28 0 0 - | ||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 - | ||
#close XXXX-XX-XX-XX-XX-XX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.