base/frameworks/dpd/main.zeek¶

DPD¶

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace: DPD

Summary¶

Runtime Options¶

`DPD::ignore_violations`: `set` `&redef`	Analyzers which you don’t want to throw
`DPD::ignore_violations_after`: `count` `&redef`	Ignore violations which go this many bytes into the connection.
`DPD::max_violations`: `table` `&default` = `5` `&optional` `&redef`	Number of protocol violations to tolerate before disabling an analyzer.

Types¶

`DPD::Info`: `record`	The record type defining the columns to log in the DPD logging stream.
`DPD::State`: `record`	Ongoing DPD state tracking information.

Redefinitions¶

Log::ID: enum

Add the DPD logging stream identifier.

DPD::LOG

connection: record

New Fields

dpd: DPD::Info &optional

dpd_state: DPD::State &optional

Hooks¶

DPD::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface¶

Runtime Options¶

DPD::ignore_violations ¶

Type

set [Analyzer::Tag]

Attributes

Default

{}

Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC

Redefinition

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to throw

DPD::ignore_violations_after ¶

Type: count
Attributes: &redef
Default: 10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::max_violations ¶

Type: table [Analyzer::Tag] of count
Attributes: &default = 5 &optional &redef
Default: {}

Number of protocol violations to tolerate before disabling an analyzer.

Types¶

DPD::Info ¶

Type

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)

A chunk of the payload that most likely resulted in the analyzer violation.

The record type defining the columns to log in the DPD logging stream.

DPD::State ¶

Type

violations: table [count] of count: Current number of protocol violations seen per analyzer instance.

Ongoing DPD state tracking information.

Hooks¶

DPD::log_policy ¶

Type: Log::PolicyHook

A default logging policy hook for the stream.

Read the Docs v: master (git/master)

Versions: master; v4.2.1; v4.2.0; v4.1.1; v4.0.6; v4.0.5; v4.0.4; v4.0.3; v4.0.2; v4.0.1; v4.0.0; v4.0.0-rc3; v4.0.0-rc2; v4.0.0-rc1; v3.2.3; v3.2.2; v3.2.1; v3.2.0; v3.2.0-rc1; v3.1.4; v3.1.3; v3.1.2; v3.1.1; v3.1.0; v3.1.0-rc; v3.0.14; v3.0.13; v3.0.12; v3.0.11; v3.0.10; v3.0.9; v3.0.8; v3.0.7; v3.0.6; v3.0.5; v3.0.4; v3.0.3; v3.0.2; v3.0.1; v3.0.0; lts; devel; current

Downloads: html

On Read the Docs: Project Home; Builds