base/frameworks/analyzer/dpd.zeek

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace

DPD

Summary

Runtime Options

DPD::ignore_violations: set &redef

Analyzers which you don’t want to throw

DPD::ignore_violations_after: count &redef

Ignore violations which go this many bytes into the connection.

DPD::max_violations: table &default = 5 &optional &redef

Number of protocol violations to tolerate before disabling an analyzer.

Types

DPD::Info: record

The record type defining the columns to log in the DPD logging stream.

DPD::State: record

Ongoing DPD state tracking information.

Redefinitions

Log::ID: enum

Add the DPD logging stream identifier.

connection: record

New Fields

connection

dpd: DPD::Info &optional

dpd_state: DPD::State &optional

service_violation: set [string] &default = {  } &optional

The set of services (analyzers) for which Zeek has observed a violation after the same service had previously been confirmed.

Hooks

DPD::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface

Runtime Options

DPD::ignore_violations
Type

set [Analyzer::Tag]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC
Redefinition

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to throw

DPD::ignore_violations_after
Type

count

Attributes

&redef

Default

10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::max_violations
Type

table [Analyzer::Tag] of count

Attributes

&default = 5 &optional &redef

Default

{}

Number of protocol violations to tolerate before disabling an analyzer.

Types

DPD::Info
Type

record

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)

A chunk of the payload that most likely resulted in the analyzer violation.

The record type defining the columns to log in the DPD logging stream.

DPD::State
Type

record

violations: table [count] of count

Current number of protocol violations seen per analyzer instance.

Ongoing DPD state tracking information.

Hooks

DPD::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.