Review cleanup

scripts/policy/misc/unknown-protocols.zeek

@@ -15,30 +15,36 @@ export {
 	type Info: record {
 		## Timestamp for when the measurement occurred.
 		ts:           time     &log;
-		##
+
+		## The string name of the analyzer attempting to forward the protocol.
 		analyzer:     string   &log;
+
+		## The identifier of the protocol being forwarded.
 		protocol_id:  string   &log;
+
+		## A certain number of bytes at the start of the unknown protocol's
+		## header.
 		first_bytes:  string   &log;
 	};
 
 	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events for logging being rate-limited.
-	option sampling_threshold : count = 25 &redef;
+	## raise events before becoming rate-limited.
+	const sampling_threshold : count = 3 &redef;
 
 	## The rate-limiting sampling rate. One out of every of this number of
 	## rate-limited pairs of a given type will be allowed to raise events
 	## for further script-layer handling. Setting the sampling rate to 0
 	## will disable all output of rate-limited pairs.
-	option sampling_rate : count = 1000 &redef;
+	const sampling_rate : count = 100000 &redef;
 
 	## How long an analyzer/protocol pair is allowed to keep state/counters in
 	## in memory. Once the threshold has been hit, this is the amount of time
 	## before the rate-limiting for a pair expires and is reset.
-	option sampling_duration = 10min &redef;
+	const sampling_duration = 1hr &redef;
 
 	## The number of bytes to extract from the next header and log in the
 	## first bytes field.
-	option first_bytes_count = 10 &redef;
+	const first_bytes_count = 10 &redef;
 }
 
 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
@@ -47,7 +53,7 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri
 	info$ts = network_time();
 	info$analyzer = analyzer_name;
 	info$protocol_id = fmt("0x%x", protocol);
-	info$first_bytes = first_bytes;
+	info$first_bytes = bytestring_to_hexstr(first_bytes);
 
 	Log::write(LOG, info);
 	}

src/event.bif

@@ -881,5 +881,10 @@ event Pcap::file_done%(path: string%);
 ## know how to handle.
 ##
 ## analzyer_name: The string name of the analyzer attempting to forward the protocol
+##
 ## protocol: The identifier of the protocol being forwarded
+##
+## first_bytes: A certain number of bytes at the start of the unknown protocol's header.
+##
+## .. zeek:see:: UnknownProtocol::first_bytes_count
 event unknown_protocol%(analyzer_name: string, protocol: count, first_bytes: string%);

src/packet_analysis/Manager.cc

@@ -2,9 +2,6 @@
 
 #include "Manager.h"
 
-#include <sstream>
-#include <iomanip>
-
 #include "Analyzer.h"
 #include "Dispatcher.h"
 #include "zeek-bif.h"
@@ -232,19 +229,12 @@ void Manager::ReportUnknownProtocol(const std::string& analyzer, uint32_t protoc
 		{
 		if ( PermitUnknownProtocol(analyzer, protocol ) )
 			{
-			std::stringstream ss;
-
-			if ( data )
-				{
-				ss << std::hex;
-				for ( int i = 0; i < unknown_first_bytes_count && i < len; i++ )
-					ss << std::setw(2) << std::setfill('0') << (int)data[i];
-				}
+			int bytes_len = std::min(unknown_first_bytes_count, static_cast<uint64_t>(len));
 
 			event_mgr.Enqueue(unknown_protocol,
 			                  make_intrusive<StringVal>(analyzer),
 			                  val_mgr->Count(protocol),
-			                  make_intrusive<StringVal>(ss.str()));
+			                  make_intrusive<StringVal>(bytes_len, (const char*) data));
 			}
 		}
 	}

testing/external/commit-hash.zeek-testing

@@ -1 +1 @@
-b02949894856693d20f85f32e96ec7d82130b73c
+a980aa1442f51a0c4e4af1061a04dc80038d3d04

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-0d5bf980bc3988aab541e6564ef99e90ff741235
+6ad4fea341372a377101f89dfc19f9a3a0e1df62