base/frameworks/dpd/main.zeek¶
-
DPD¶
Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.
| Namespace: | DPD |
|---|
Summary¶
Runtime Options¶
DPD::ignore_violations: set &redef |
Analyzers which you don’t want to throw |
DPD::ignore_violations_after: count &redef |
Ignore violations which go this many bytes into the connection. |
DPD::max_violations: table &default = 5 &optional &redef |
Number of protocol violations to tolerate before disabling an analyzer. |
Types¶
DPD::Info: record |
The record type defining the columns to log in the DPD logging stream. |
DPD::State: record |
Ongoing DPD state tracking information. |
Redefinitions¶
Log::ID: enum |
Add the DPD logging stream identifier. |
connection: record |
Detailed Interface¶
Runtime Options¶
-
DPD::ignore_violations¶ Type: Attributes: Default: {}Redefinition: from base/protocols/dce-rpc/main.zeek
+=:Analyzer::ANALYZER_DCE_RPC
Redefinition: from base/protocols/ntlm/main.zeek
+=:Analyzer::ANALYZER_NTLM
Analyzers which you don’t want to throw
Types¶
-
DPD::Info¶ Type: - ts:
time&log Timestamp for when protocol analysis failed.
- uid:
string&log Connection unique ID.
- id:
conn_id&log Connection ID containing the 4-tuple which identifies endpoints.
- proto:
transport_proto&log Transport protocol for the violation.
- analyzer:
string&log The analyzer that generated the violation.
- failure_reason:
string&log The textual reason for the analysis failure.
- packet_segment:
string&optional&log (present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)
A chunk of the payload that most likely resulted in the protocol violation.
The record type defining the columns to log in the DPD logging stream.
- ts: