base/frameworks/dpd/main.bro

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace:DPD
Source File:/scripts/base/frameworks/dpd/main.bro

Summary

Options

DPD::ignore_violations: set &redef Analyzers which you don’t want to throw
DPD::ignore_violations_after: count &redef Ignore violations which go this many bytes into the connection.

Types

DPD::Info: record The record type defining the columns to log in the DPD logging stream.

Redefinitions

Log::ID: enum Add the DPD logging stream identifier.
connection: record  

Detailed Interface

Options

DPD::ignore_violations
Type:set [Analyzer::Tag]
Attributes:&redef
Default:
{
   Analyzer::ANALYZER_NTLM,
   Analyzer::ANALYZER_DCE_RPC
}

Analyzers which you don’t want to throw

DPD::ignore_violations_after
Type:count
Attributes:&redef
Default:10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

Types

DPD::Info
Type:

record

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

disabled_aids: set [count]

Disabled analyzer IDs. This is only for internal tracking so as to not attempt to disable analyzers multiple times.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)

A chunk of the payload that most likely resulted in the protocol violation.

The record type defining the columns to log in the DPD logging stream.

Copyright 2016, The Bro Project. Last updated on December 07, 2018. Created using Sphinx 1.8.2.