Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Normalize http host in seen script.

Browse source 
This changes the behavior to be just like in the base scripts.

Addresses BIT-1695
This commit is contained in:
Johanna Amann 2016-09-22 16:52:59 -07:00
parent 0bc4a5ea52
commit 068c49a3d3
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/policy/frameworks/intel/seen/http-headers.bro
View file

@ -9,13 +9,15 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
switch ( name )
{
case "HOST":
if ( is_valid_ip(value) )
Intel::seen([$host=to_addr(value),
# The split is done to remove the occasional port value that shows up here (see also base script)
local host = split_string1(value, /:/)[0];
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
else
Intel::seen([$indicator=value,
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);