policy/frameworks/dpd/detect-protocols.zeek

ProtocolDetector

Finds connections with protocols on non-standard ports with DPD.

Namespace

ProtocolDetector

Imports

base/frameworks/notice, base/protocols/conn/removal-hooks.zeek, base/utils/conn-ids.zeek, base/utils/site.zeek

Summary

Runtime Options

ProtocolDetector::minimum_duration: interval &redef

ProtocolDetector::minimum_volume: double &redef

ProtocolDetector::suppress_servers: set &redef

ProtocolDetector::valids: table &redef

Constants

ProtocolDetector::check_interval: interval

State Variables

ProtocolDetector::servers: table &read_expire = 14.0 days

Types

ProtocolDetector::dir: enum

Redefinitions

Notice::Type: enum

Hooks

ProtocolDetector::finalize_protocol_detection: Conn::RemovalHook

Non-standard protocol port detection finalization hook.

Functions

ProtocolDetector::found_protocol: function

Detailed Interface

Runtime Options

ProtocolDetector::minimum_duration
Type

interval

Attributes

&redef

Default

30.0 secs

ProtocolDetector::minimum_volume
Type

double

Attributes

&redef

Default

4000.0

ProtocolDetector::suppress_servers
Type

set [Analyzer::Tag]

Attributes

&redef

Default

{}

ProtocolDetector::valids
Type

table [Analyzer::Tag, addr, port] of ProtocolDetector::dir

Attributes

&redef

Default

{}

Constants

ProtocolDetector::check_interval
Type

interval

Default

5.0 secs

State Variables

ProtocolDetector::servers
Type

table [addr, port, string] of set [string]

Attributes

&read_expire = 14.0 days

Default

{}

Types

ProtocolDetector::dir
Type

enum

ProtocolDetector::NONE
ProtocolDetector::INCOMING
ProtocolDetector::OUTGOING
ProtocolDetector::BOTH

Hooks

ProtocolDetector::finalize_protocol_detection
Type

Conn::RemovalHook

Non-standard protocol port detection finalization hook.

Functions

ProtocolDetector::found_protocol
Type

function (c: connection, atype: Analyzer::Tag, protocol: string) : void