policy/frameworks/packet-filter/shunt.zeek

PacketFilter
Namespace

PacketFilter

Imports

base/frameworks/notice, base/frameworks/packet-filter

Summary

Redefinable Options

PacketFilter::max_bpf_shunts: count &redef

The maximum number of BPF based shunts that Zeek is allowed to perform.

Redefinitions

Notice::Type: enum

Functions

PacketFilter::current_shunted_conns: function

Retrieve the currently shunted connections.

PacketFilter::current_shunted_host_pairs: function

Retrieve the currently shunted host pairs.

PacketFilter::force_unshunt_host_pair: function

Performs the same function as the PacketFilter::unshunt_host_pair function, but it forces an immediate filter update.

PacketFilter::shunt_conn: function

Call this function to use BPF to shunt a connection (to prevent the data packets from reaching Zeek).

PacketFilter::shunt_host_pair: function

This function will use a BPF expression to shunt traffic between the two hosts given in the conn_id so that the traffic is never exposed to Zeek’s traffic processing.

PacketFilter::unshunt_host_pair: function

Remove shunting for a host pair given as a conn_id.

Detailed Interface

Redefinable Options

PacketFilter::max_bpf_shunts
Type

count

Attributes

&redef

Default

100

The maximum number of BPF based shunts that Zeek is allowed to perform.

Functions

PacketFilter::current_shunted_conns
Type

function () : set [conn_id]

Retrieve the currently shunted connections.

PacketFilter::current_shunted_host_pairs
Type

function () : set [conn_id]

Retrieve the currently shunted host pairs.

PacketFilter::force_unshunt_host_pair
Type

function (id: conn_id) : bool

Performs the same function as the PacketFilter::unshunt_host_pair function, but it forces an immediate filter update.

PacketFilter::shunt_conn
Type

function (id: conn_id) : bool

Call this function to use BPF to shunt a connection (to prevent the data packets from reaching Zeek). For TCP connections, control packets are still allowed through so that Zeek can continue logging the connection and it can stop shunting once the connection ends.

PacketFilter::shunt_host_pair
Type

function (id: conn_id) : bool

This function will use a BPF expression to shunt traffic between the two hosts given in the conn_id so that the traffic is never exposed to Zeek’s traffic processing.

PacketFilter::unshunt_host_pair
Type

function (id: conn_id) : bool

Remove shunting for a host pair given as a conn_id. The filter is not immediately removed. It waits for the occasional filter update done by the PacketFilter framework.