dpd.zeek

DPD

Disables analyzers if protocol violations occur, and adds service information to connection log.

Namespace:: DPD
Imports:: base/frameworks/analyzer/main.zeek

Summary

Runtime Options

`DPD::ignore_violations`: `set` `&redef`	Analyzers which you don’t want to remove on violations.
`DPD::ignore_violations_after`: `count` `&redef`	Ignore violations which go this many bytes into the connection.
`DPD::track_removed_services_in_connection`: `bool` `&redef`	Change behavior of service field in conn.log: Failed services are no longer removed.

Redefinitions

connection: record

New Fields:

connection

failed_analyzers: set [string] &default = { } &optional: The set of prototol analyzers that were removed due to a protocol violation after the same analyzer had previously been confirmed.

Detailed Interface

Runtime Options

DPD::ignore_violations 

Type:

set [Analyzer::Tag]

Attributes:

&redef

Default:

{}

Redefinition:

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC

Redefinition:

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to remove on violations.

DPD::ignore_violations_after 

Type:: count
Attributes:: &redef
Default:: 10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::track_removed_services_in_connection 

Type:: bool
Attributes:: &redef
Default:: F

Change behavior of service field in conn.log: Failed services are no longer removed. Instead, for a failed service, a second entry with a “-” in front of it is added. E.g. a http connection with a violation would be logged as “http,-http”.