base/frameworks/analyzer/dpd.zeek

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace:: DPD

Summary

Runtime Options

`DPD::ignore_violations`: `set` `&redef`	Analyzers which you don’t want to throw
`DPD::ignore_violations_after`: `count` `&redef`	Ignore violations which go this many bytes into the connection.
`DPD::max_violations`: `table` `&default` = `5` `&optional` `&redef`	Number of protocol violations to tolerate before disabling an analyzer.

Types

`DPD::Info`: `record`	The record type defining the columns to log in the DPD logging stream.
`DPD::State`: `record`	Ongoing DPD state tracking information.

Redefinitions

Log::ID: enum

Add the DPD logging stream identifier.

DPD::LOG

connection: record

New Fields:

dpd: DPD::Info &optional

dpd_state: DPD::State &optional

service_violation: set [string] &default = { } &optional: The set of services (analyzers) for which Zeek has observed a violation after the same service had previously been confirmed.

Hooks

DPD::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface

Runtime Options

DPD::ignore_violations 

Type:

set [Analyzer::Tag]

Attributes:

Default:

{}

Redefinition:

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC

Redefinition:

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to throw

DPD::ignore_violations_after 

Type:: count
Attributes:: &redef
Default:: 10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::max_violations 

Type:: table [Analyzer::Tag] of count
Attributes:: &default = 5 &optional &redef
Default:: {}

Number of protocol violations to tolerate before disabling an analyzer.

Types

DPD::Info 

Type:

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)

A chunk of the payload that most likely resulted in the analyzer violation.

The record type defining the columns to log in the DPD logging stream.

DPD::State 

Type:

violations: table [count] of count: Current number of protocol violations seen per analyzer instance.

Ongoing DPD state tracking information.

Hooks

DPD::log_policy 

Type:: Log::PolicyHook

A default logging policy hook for the stream.