base/frameworks/analyzer/main.zeek

Analyzer

Framework for managing Zeek’s protocol analyzers.

The analyzer framework allows to dynamically enable or disable analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

Protocol analyzers are identified by unique tags of type Analyzer::Tag, such as Analyzer::ANALYZER_HTTP. These tags are defined internally by the analyzers themselves, and documented in their analyzer-specific description along with the events that they generate.

Analyzer tags are also inserted into a global AllAnalyzers::Tag enum type. This type contains duplicates of all of the Analyzer::Tag, PacketAnalyzer::Tag and Files::Tag enum values and can be used for arguments to function/hook/event definitions where they need to handle any analyzer type. See Analyzer::register_for_ports for an example.

Namespace

Analyzer

Imports

base/bif/analyzer.bif.zeek, base/bif/file_analysis.bif.zeek, base/bif/packet_analysis.bif.zeek, base/frameworks/packet-filter/utils.zeek

Summary

State Variables

Analyzer::disable_all: bool &redef

If true, all available analyzers are initially disabled at startup.

Analyzer::disabled_analyzers: set &redef

A set of analyzers to disable by default at startup.

Analyzer::ports: table

A table of ports mapped to analyzers that handle those ports.

Analyzer::requested_analyzers: set &redef

A set of protocol, packet or file analyzer tags requested to be enabled during startup.

Functions

Analyzer::all_registered_ports: function

Returns a table of all ports-to-analyzer mappings currently registered.

Analyzer::analyzer_to_bpf: function

Automatically creates a BPF filter for the specified protocol based on the data supplied for the protocol through the Analyzer::register_for_ports function.

Analyzer::disable_analyzer: function

Disables an analyzer.

Analyzer::enable_analyzer: function

Enables an analyzer.

Analyzer::get_bpf: function

Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol.

Analyzer::get_tag: function

Translates an analyzer’s name to a tag enum value.

Analyzer::has_tag: function

Check whether the given analyzer name exists.

Analyzer::name: function

Translates an analyzer type to a string with the analyzer’s name.

Analyzer::register_for_port: function

Registers an individual well-known port for an analyzer.

Analyzer::register_for_ports: function

Registers a set of well-known ports for an analyzer.

Analyzer::registered_ports: function

Returns a set of all well-known ports currently registered for a specific analyzer.

Analyzer::schedule_analyzer: function

Schedules an analyzer for a future connection originating from a given IP address and port.

Detailed Interface

State Variables

Analyzer::disable_all
Type

bool

Attributes

&redef

Default

F

If true, all available analyzers are initially disabled at startup. One can then selectively enable them with Analyzer::enable_analyzer.

Analyzer::disabled_analyzers
Type

set [AllAnalyzers::Tag]

Attributes

&redef

Default
{
   AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
}

A set of analyzers to disable by default at startup. The default set contains legacy analyzers that are no longer supported.

Analyzer::ports
Type

table [AllAnalyzers::Tag] of set [port]

Default

{}

A table of ports mapped to analyzers that handle those ports. This is used by BPF filtering and DPD. Session analyzers can add to this using Analyzer::register_for_port(s) and packet analyzers can add to this using PacketAnalyzer::register_for_port(s).

Analyzer::requested_analyzers
Type

set [AllAnalyzers::Tag]

Attributes

&redef

Default

{}

A set of protocol, packet or file analyzer tags requested to be enabled during startup.

By default, all analyzers in Zeek are enabled. When all analyzers are disabled through Analyzer::disable_all, this set set allows to record analyzers to be enabled during Zeek startup.

This set can be added to via redef.

Functions

Analyzer::all_registered_ports
Type

function () : table [AllAnalyzers::Tag] of set [port]

Returns a table of all ports-to-analyzer mappings currently registered.

Returns

A table mapping each analyzer to the set of ports registered for it.

Analyzer::analyzer_to_bpf
Type

function (tag: Analyzer::Tag) : string

Automatically creates a BPF filter for the specified protocol based on the data supplied for the protocol through the Analyzer::register_for_ports function.

Parameters

tag – The analyzer tag.

Returns

BPF filter string.

Analyzer::disable_analyzer
Type

function (tag: AllAnalyzers::Tag) : bool

Disables an analyzer. Once disabled, the analyzer will not be used further for analysis of future connections.

Parameters

tag – The tag of the analyzer to disable.

Returns

True if the analyzer was successfully disabled.

Analyzer::enable_analyzer
Type

function (tag: AllAnalyzers::Tag) : bool

Enables an analyzer. Once enabled, the analyzer may be used for analysis of future connections as decided by Zeek’s dynamic protocol detection.

Parameters

tag – The tag of the analyzer to enable.

Returns

True if the analyzer was successfully enabled.

Analyzer::get_bpf
Type

function () : string

Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol.

Analyzer::get_tag
Type

function (name: string) : AllAnalyzers::Tag

Translates an analyzer’s name to a tag enum value.

Parameters

name – The analyzer name.

Returns

The analyzer tag corresponding to the name.

Analyzer::has_tag
Type

function (name: string) : bool

Check whether the given analyzer name exists.

This can be used before calling Analyzer::get_tag to verify that the given name as string is a valid analyzer name.

Parameters

name – The analyzer name.

Returns

True if the given name is a valid analyzer, else false.

Analyzer::name
Type

function (atype: AllAnalyzers::Tag) : string

Translates an analyzer type to a string with the analyzer’s name.

Parameters

tag – The analyzer tag.

Returns

The analyzer name corresponding to the tag.

Analyzer::register_for_port
Type

function (tag: Analyzer::Tag, p: port) : bool

Registers an individual well-known port for an analyzer. If a future connection on this port is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Parameters
  • tag – The tag of the analyzer.

  • p – The well-known port to associate with the analyzer.

Returns

True if the port was successfully registered.

Analyzer::register_for_ports
Type

function (tag: Analyzer::Tag, ports: set [port]) : bool

Registers a set of well-known ports for an analyzer. If a future connection on one of these ports is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Parameters
  • tag – The tag of the analyzer.

  • ports – The set of well-known ports to associate with the analyzer.

Returns

True if the ports were successfully registered.

Analyzer::registered_ports
Type

function (tag: AllAnalyzers::Tag) : set [port]

Returns a set of all well-known ports currently registered for a specific analyzer.

Parameters

tag – The tag of the analyzer.

Returns

The set of ports.

Analyzer::schedule_analyzer
Type

function (orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool

Schedules an analyzer for a future connection originating from a given IP address and port.

Parameters
  • orig – The IP address originating a connection in the future. 0.0.0.0 can be used as a wildcard to match any originator address.

  • resp – The IP address responding to a connection from orig.

  • resp_p – The destination port at resp.

  • analyzer – The analyzer ID.

  • tout – A timeout interval after which the scheduling request will be discarded if the connection has not yet been seen.

Returns

True if successful.