base/frameworks/analyzer/dpd.zeek

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace:

DPD

Summary

Runtime Options

DPD::ignore_violations: set &redef	Analyzers which you don’t want to throw
DPD::ignore_violations_after: count &redef	Ignore violations which go this many bytes into the connection.
DPD::max_violations: table &deprecated = … &default = 5 &optional &redef	Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
DPD::track_removed_services_in_connection: bool &redef	Change behavior of service field in conn.log: Failed services are no longer removed.

Types

DPD::Info: record

The record type defining the columns to log in the DPD logging stream.

Redefinitions

Log::ID: enum	Add the DPD logging stream identifier. DPD::LOG
connection: record	New Fields: connection dpd: DPD::Info &optional service_violation: set [string] &default = {  } &optional The set of services (analyzers) for which Zeek has observed a violation after the same service had previously been confirmed.

Hooks

DPD::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface

Runtime Options

DPD::ignore_violations

Type:

set [Analyzer::Tag]

Attributes:

&redef

Default:

{}

Redefinition:

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC

Redefinition:

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to throw

DPD::ignore_violations_after

Type:

count

Attributes:

&redef

Default:

10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::max_violations

Type:

table [Analyzer::Tag] of count

Attributes:

&deprecated = “Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200” &default = 5 &optional &redef

Default:

{}

Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details

DPD::track_removed_services_in_connection

Type:

bool

Attributes:

&redef

Default:

F

Change behavior of service field in conn.log: Failed services are no longer removed. Instead, for a failed service, a second entry with a “-” in front of it is added. E.g. a http connection with a violation would be logged as “http,-http”.

Types

DPD::Info

Type:

record

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)

A chunk of the payload that most likely resulted in the analyzer violation.

The record type defining the columns to log in the DPD logging stream.

Hooks

DPD::log_policy

Type:

Log::PolicyHook

A default logging policy hook for the stream.