weird
functionsThe weird
analyzer includes the following functions:
report_weird (t: time, name: string, id: string, action: count, no log: bool)
name
associated with
the connection described by the string id
(which may be empty
if no connection is associated with the event). action
is the
action associated with the event. For report_weird
, the only
distinctions made between the different actions are that WEIRD_IGNORE
causes the function to do nothing; any of WEIRD_LOG
cause the function to log a message, unless no_log
is true; and WEIRD_UNSPECIFIED
causes the function to look up the action in weird_action
.
If the function does not find an action
for the event, then it uses WEIRD_LOG_ALWAYS
and prepends the log
message with a pair of asterisks (“**
”) to flag that this event
does not have a specified action.
For WEIRD_FILE
, report_weird
only
records the event once to the file, unless the given event is present
in weird_do_not_ignore_repeats
. Events with loggable actions
are always recorded to weird_file
.
report_weird_conn (t: time, name: string, id: string, c: connection)
name
associated with
the connection c
, which is described by the string id
.
If report_weird_conn
finds one of the hosts and the given event name
in weird_ignore_host
, then it does nothing. Then, if the event
is in weird_action
, then it looks up the event in
weird_action_filters
and invokes the corresponding function
if present, otherwise taking the action from weird_action
.
It then implements the various flavors of WEIRD_LOG
by not logging events more than once per connection, originator host,
etc., though the events are still written to weird_file
.
Finally, the function invokes to do the
actual recording and/or writing to weird_file
.
report_weird_orig (t: time, name: string, id: string, orig: addr)
name
associated with
the source address orig
. id
textually describes the flow from
orig
to the destination, for example using endpoint_id
.
The function looks up the event name in weird_action
and
passes it along to report_weird
.