base/frameworks/dpd/main.zeek¶
- DPD¶
Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.
- Namespace
DPD
Summary¶
Runtime Options¶
Analyzers which you don’t want to throw |
|
Ignore violations which go this many bytes into the connection. |
|
Number of protocol violations to tolerate before disabling an analyzer. |
Types¶
The record type defining the columns to log in the DPD logging stream. |
|
Ongoing DPD state tracking information. |
Redefinitions¶
Add the DPD logging stream identifier. |
|
|
Hooks¶
A default logging policy hook for the stream. |
Detailed Interface¶
Runtime Options¶
- DPD::ignore_violations¶
- Type
- Attributes
- Default
{}- Redefinition
from base/protocols/dce-rpc/main.zeek
+=:Analyzer::ANALYZER_DCE_RPC
- Redefinition
from base/protocols/ntlm/main.zeek
+=:Analyzer::ANALYZER_NTLM
Analyzers which you don’t want to throw
- DPD::ignore_violations_after¶
-
Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.
- DPD::max_violations¶
-
Number of protocol violations to tolerate before disabling an analyzer.
Types¶
- DPD::Info¶
- Type
-
- ts:
time&log Timestamp for when protocol analysis failed.
- uid:
string&log Connection unique ID.
- id:
conn_id&log Connection ID containing the 4-tuple which identifies endpoints.
- proto:
transport_proto&log Transport protocol for the violation.
- analyzer:
string&log The analyzer that generated the violation.
- failure_reason:
string&log The textual reason for the analysis failure.
- packet_segment:
string&optional&log (present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)
A chunk of the payload that most likely resulted in the analyzer violation.
- ts:
The record type defining the columns to log in the DPD logging stream.
Hooks¶
- DPD::log_policy¶
- Type
A default logging policy hook for the stream.