base/frameworks/analyzer/main.zeek
- Analyzer
Framework for managing Zeek’s protocol analyzers.
The analyzer framework allows to dynamically enable or disable analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.
Protocol analyzers are identified by unique tags of type
Analyzer::Tag
, such as Analyzer::ANALYZER_HTTP
.
These tags are defined internally by
the analyzers themselves, and documented in their analyzer-specific
description along with the events that they generate.
Analyzer tags are also inserted into a global AllAnalyzers::Tag
enum
type. This type contains duplicates of all of the Analyzer::Tag
,
PacketAnalyzer::Tag
and Files::Tag
enum values
and can be used for arguments to function/hook/event definitions where they
need to handle any analyzer type. See Analyzer::register_for_ports
for an example.
- Namespace
Analyzer
- Imports
base/bif/analyzer.bif.zeek, base/bif/file_analysis.bif.zeek, base/bif/packet_analysis.bif.zeek, base/frameworks/packet-filter/utils.zeek
Summary
State Variables
If true, all available analyzers are initially disabled at startup. |
|
A set of analyzers to disable by default at startup. |
|
A table of ports mapped to analyzers that handle those ports. |
|
A set of protocol, packet or file analyzer tags requested to be enabled during startup. |
Functions
Returns a table of all ports-to-analyzer mappings currently registered. |
|
Automatically creates a BPF filter for the specified protocol based
on the data supplied for the protocol through the
|
|
Disables an analyzer. |
|
Enables an analyzer. |
|
Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol. |
|
Translates an analyzer’s name to a tag enum value. |
|
Check whether the given analyzer name exists. |
|
Translates an analyzer type to a string with the analyzer’s name. |
|
Registers an individual well-known port for an analyzer. |
|
Registers a set of well-known ports for an analyzer. |
|
Returns a set of all well-known ports currently registered for a specific analyzer. |
|
Schedules an analyzer for a future connection originating from a given IP address and port. |
Detailed Interface
State Variables
- Analyzer::disable_all
-
If true, all available analyzers are initially disabled at startup. One can then selectively enable them with
Analyzer::enable_analyzer
.
- Analyzer::disabled_analyzers
- Type
- Attributes
- Default
{ AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS }
A set of analyzers to disable by default at startup. The default set contains legacy analyzers that are no longer supported.
- Analyzer::ports
- Type
table
[AllAnalyzers::Tag
] ofset
[port
]- Default
{}
A table of ports mapped to analyzers that handle those ports. This is used by BPF filtering and DPD. Session analyzers can add to this using Analyzer::register_for_port(s) and packet analyzers can add to this using PacketAnalyzer::register_for_port(s).
- Analyzer::requested_analyzers
- Type
- Attributes
- Default
{}
A set of protocol, packet or file analyzer tags requested to be enabled during startup.
By default, all analyzers in Zeek are enabled. When all analyzers are disabled through
Analyzer::disable_all
, this set set allows to record analyzers to be enabled during Zeek startup.This set can be added to via
redef
.
Functions
- Analyzer::all_registered_ports
- Type
function
() :table
[AllAnalyzers::Tag
] ofset
[port
]
Returns a table of all ports-to-analyzer mappings currently registered.
- Returns
A table mapping each analyzer to the set of ports registered for it.
- Analyzer::analyzer_to_bpf
- Type
function
(tag:Analyzer::Tag
) :string
Automatically creates a BPF filter for the specified protocol based on the data supplied for the protocol through the
Analyzer::register_for_ports
function.- Parameters
tag – The analyzer tag.
- Returns
BPF filter string.
- Analyzer::disable_analyzer
- Type
function
(tag:AllAnalyzers::Tag
) :bool
Disables an analyzer. Once disabled, the analyzer will not be used further for analysis of future connections.
- Parameters
tag – The tag of the analyzer to disable.
- Returns
True if the analyzer was successfully disabled.
- Analyzer::enable_analyzer
- Type
function
(tag:AllAnalyzers::Tag
) :bool
Enables an analyzer. Once enabled, the analyzer may be used for analysis of future connections as decided by Zeek’s dynamic protocol detection.
- Parameters
tag – The tag of the analyzer to enable.
- Returns
True if the analyzer was successfully enabled.
- Analyzer::get_bpf
-
Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol.
- Analyzer::get_tag
- Type
function
(name:string
) :AllAnalyzers::Tag
Translates an analyzer’s name to a tag enum value.
- Parameters
name – The analyzer name.
- Returns
The analyzer tag corresponding to the name.
- Analyzer::has_tag
-
Check whether the given analyzer name exists.
This can be used before calling
Analyzer::get_tag
to verify that the given name as string is a valid analyzer name.- Parameters
name – The analyzer name.
- Returns
True if the given name is a valid analyzer, else false.
- Analyzer::name
- Type
function
(atype:AllAnalyzers::Tag
) :string
Translates an analyzer type to a string with the analyzer’s name.
- Parameters
tag – The analyzer tag.
- Returns
The analyzer name corresponding to the tag.
- Analyzer::register_for_port
- Type
function
(tag:Analyzer::Tag
, p:port
) :bool
Registers an individual well-known port for an analyzer. If a future connection on this port is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.
- Parameters
tag – The tag of the analyzer.
p – The well-known port to associate with the analyzer.
- Returns
True if the port was successfully registered.
- Analyzer::register_for_ports
- Type
function
(tag:Analyzer::Tag
, ports:set
[port
]) :bool
Registers a set of well-known ports for an analyzer. If a future connection on one of these ports is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.
- Parameters
tag – The tag of the analyzer.
ports – The set of well-known ports to associate with the analyzer.
- Returns
True if the ports were successfully registered.
- Analyzer::registered_ports
- Type
function
(tag:AllAnalyzers::Tag
) :set
[port
]
Returns a set of all well-known ports currently registered for a specific analyzer.
- Parameters
tag – The tag of the analyzer.
- Returns
The set of ports.
- Analyzer::schedule_analyzer
- Type
function
(orig:addr
, resp:addr
, resp_p:port
, analyzer:Analyzer::Tag
, tout:interval
) :bool
Schedules an analyzer for a future connection originating from a given IP address and port.
- Parameters
orig – The IP address originating a connection in the future. 0.0.0.0 can be used as a wildcard to match any originator address.
resp – The IP address responding to a connection from orig.
resp_p – The destination port at resp.
analyzer – The analyzer ID.
tout – A timeout interval after which the scheduling request will be discarded if the connection has not yet been seen.
- Returns
True if successful.