base/frameworks/analyzer/dpd.zeek
- DPD
Disables analyzers if protocol violations occur, and adds service information to connection log.
- Namespace:
DPD
- Imports:
Summary
Runtime Options
Analyzers which you don’t want to remove on violations. |
|
Ignore violations which go this many bytes into the connection. |
|
|
Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details |
Change behavior of service field in conn.log: Failed services are no longer removed. |
Redefinitions
|
Detailed Interface
Runtime Options
- DPD::ignore_violations
- Type:
- Attributes:
- Default:
{}- Redefinition:
from base/protocols/dce-rpc/main.zeek
+=:Analyzer::ANALYZER_DCE_RPC
- Redefinition:
from base/protocols/ntlm/main.zeek
+=:Analyzer::ANALYZER_NTLM
Analyzers which you don’t want to remove on violations.
- DPD::ignore_violations_after
-
Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.
- DPD::max_violations
- Type:
table[Analyzer::Tag] ofcount- Attributes:
&deprecated= “Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200”&default=5&optional&redef- Default:
{}
Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
- DPD::track_removed_services_in_connection
-
Change behavior of service field in conn.log: Failed services are no longer removed. Instead, for a failed service, a second entry with a “-” in front of it is added. E.g. a http connection with a violation would be logged as “http,-http”.