Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix host header normalization in intel framework.

Browse source 
The way we were splitting off ports from host names could fail for IPv6
addresses.

Closes #1844.
This commit is contained in:
Robin Sommer 2021-12-21 08:49:46 +01:00
parent a7427e95bf
commit 07045ec254
No known key found for this signature in database
GPG key ID: 6BEDA4DA6B8B23E3
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -9,8 +9,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
switch ( name ) switch ( name )
{ {
case "HOST": case "HOST":
# The split is done to remove the occasional port value that shows up here (see also base script) # Remove the occasional port value that shows up here.
local host = split_string1(value, /:/)[0]; local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) ) if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host), Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR, $indicator_type=Intel::ADDR,