base/frameworks/dpd/main.zeek¶
-
DPD
¶
Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.
Namespace: | DPD |
---|
Summary¶
Runtime Options¶
DPD::ignore_violations : set &redef |
Analyzers which you don’t want to throw |
DPD::ignore_violations_after : count &redef |
Ignore violations which go this many bytes into the connection. |
DPD::max_violations : table &default = 5 &optional &redef |
Number of protocol violations to tolerate before disabling an analyzer. |
Types¶
DPD::Info : record |
The record type defining the columns to log in the DPD logging stream. |
DPD::State : record |
Ongoing DPD state tracking information. |
Redefinitions¶
Log::ID : enum |
Add the DPD logging stream identifier. |
||
connection : record |
|
Hooks¶
DPD::log_policy : Log::PolicyHook |
A default logging policy hook for the stream. |
Detailed Interface¶
Runtime Options¶
-
DPD::ignore_violations
¶ Type: Attributes: Default: {}
Redefinition: from base/protocols/dce-rpc/main.zeek
+=
:Analyzer::ANALYZER_DCE_RPC
Redefinition: from base/protocols/ntlm/main.zeek
+=
:Analyzer::ANALYZER_NTLM
Analyzers which you don’t want to throw
Types¶
-
DPD::Info
¶ Type: - ts:
time
&log
Timestamp for when protocol analysis failed.
- uid:
string
&log
Connection unique ID.
- id:
conn_id
&log
Connection ID containing the 4-tuple which identifies endpoints.
- proto:
transport_proto
&log
Transport protocol for the violation.
- analyzer:
string
&log
The analyzer that generated the violation.
- failure_reason:
string
&log
The textual reason for the analysis failure.
- packet_segment:
string
&optional
&log
(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)
A chunk of the payload that most likely resulted in the protocol violation.
The record type defining the columns to log in the DPD logging stream.
- ts:
Hooks¶
-
DPD::log_policy
¶ Type: Log::PolicyHook
A default logging policy hook for the stream.