base/frameworks/dpd/main.bro

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace:	DPD
Source File:	`/scripts/base/frameworks/dpd/main.bro`

Summary

`DPD::ignore_violations`: `set` `&redef`	Analyzers which you don’t want to throw
`DPD::ignore_violations_after`: `count` `&redef`	Ignore violations which go this many bytes into the connection.

DPD::Info: record The record type defining the columns to log in the DPD logging stream.

`Log::ID`: `enum`	Add the DPD logging stream identifier.
`connection`: `record`

DPD::ignore_violations

{
   Analyzer::ANALYZER_NTLM,
   Analyzer::ANALYZER_DCE_RPC
}

Analyzers which you don’t want to throw

DPD::ignore_violations_after

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::Info

Type:

Type:	`record` ts: `time` `&log` Timestamp for when protocol analysis failed. uid: `string` `&log` Connection unique ID. id: `conn_id` `&log` Connection ID containing the 4-tuple which identifies endpoints. proto: `transport_proto` `&log` Transport protocol for the violation. analyzer: `string` `&log` The analyzer that generated the violation. failure_reason: `string` `&log` The textual reason for the analysis failure. disabled_aids: `set` [`count`] Disabled analyzer IDs. This is only for internal tracking so as to not attempt to disable analyzers multiple times. packet_segment: `string` `&optional` `&log` (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.

Timestamp for when protocol analysis failed.

Connection unique ID.