analyzer

The analyzer framework allows to dynamically enable or disable Zeek’s protocol analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

base/frameworks/analyzer/main.zeek

Framework for managing Zeek’s protocol analyzers.

The analyzer framework allows to dynamically enable or disable analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

Protocol analyzers are identified by unique tags of type Analyzer::Tag, such as Analyzer::ANALYZER_HTTP. These tags are defined internally by the analyzers themselves, and documented in their analyzer-specific description along with the events that they generate.

Analyzer tags are also inserted into a global AllAnalyzers::Tag enum type. This type contains duplicates of all of the Analyzer::Tag, PacketAnalyzer::Tag and Files::Tag enum values and can be used for arguments to function/hook/event definitions where they need to handle any analyzer type. See Analyzer::register_for_ports for an example.

base/frameworks/analyzer/__load__.zeek

base/frameworks/analyzer/dpd.zeek

Disables analyzers if protocol violations occur, and adds service information to connection log.

base/frameworks/analyzer/logging.zeek

Logging analyzer violations into analyzer.log