Next: , Previous: weird variables, Up: weird Module



7.24.3 weird functions

The weird analyzer includes the following functions:

report_weird (t: time, name: string, id: string, action: count, no log: bool)
Processes an occurrence of the weird event name associated with the connection described by the string id (which may be empty if no connection is associated with the event). action is the action associated with the event. For report_weird, the only distinctions made between the different actions are that WEIRD_IGNORE causes the function to do nothing; any of WEIRD_LOG cause the function to log a message, unless no_log is true; and WEIRD_UNSPECIFIED causes the function to look up the action in weird_action. If the function does not find an action for the event, then it uses WEIRD_LOG_ALWAYS and prepends the log message with a pair of asterisks (“**”) to flag that this event does not have a specified action.

For WEIRD_FILE, report_weird only records the event once to the file, unless the given event is present in weird_do_not_ignore_repeats. Events with loggable actions are always recorded to weird_file.

report_weird_conn (t: time, name: string, id: string, c: connection)
Processes an occurrence of the weird event name associated with the connection c, which is described by the string id.

If report_weird_conn finds one of the hosts and the given event name in weird_ignore_host, then it does nothing. Then, if the event is in weird_action, then it looks up the event in weird_action_filters and invokes the corresponding function if present, otherwise taking the action from weird_action. It then implements the various flavors of WEIRD_LOG by not logging events more than once per connection, originator host, etc., though the events are still written to weird_file. Finally, the function invokes to do the actual recording and/or writing to weird_file.

report_weird_orig (t: time, name: string, id: string, orig: addr)
Processes an occurrence of the weird event name associated with the source address orig. id textually describes the flow from orig to the destination, for example using endpoint_id.

The function looks up the event name in weird_action and passes it along to report_weird.