base/frameworks/dpd/main.bro

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace:DPD

Summary

Runtime Options

DPD::ignore_violations: set &redef Analyzers which you don’t want to throw
DPD::ignore_violations_after: count &redef Ignore violations which go this many bytes into the connection.

Types

DPD::Info: record The record type defining the columns to log in the DPD logging stream.

Redefinitions

Log::ID: enum Add the DPD logging stream identifier.
connection: record  

Detailed Interface

Runtime Options

DPD::ignore_violations
Type:set [Analyzer::Tag]
Attributes:&redef
Default:
{
   Analyzer::ANALYZER_DCE_RPC,
   Analyzer::ANALYZER_NTLM
}

Analyzers which you don’t want to throw

DPD::ignore_violations_after
Type:count
Attributes:&redef
Default:10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

Types

DPD::Info
Type:

record

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

disabled_aids: set [count]

Disabled analyzer IDs. This is only for internal tracking so as to not attempt to disable analyzers multiple times.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)

A chunk of the payload that most likely resulted in the protocol violation.

The record type defining the columns to log in the DPD logging stream.