Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix a problem with DNS servers being logged that aren't actually servers.

Browse source
This commit is contained in:
Seth Hall 2011-10-25 16:20:29 -04:00
parent 3d6d75b647
commit 17d03c9936
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
scripts/policy/protocols/conn/known-services.bro
View file

@ -62,14 +62,15 @@ function known_services_done(c: connection)
c$known_services_done = T; c$known_services_done = T;
if ( ! addr_matches_host(id$resp_h, service_tracking) || if ( ! addr_matches_host(id$resp_h, service_tracking) ||
"ftp-data" in c$service ) # don't include ftp data sessions "ftp-data" in c$service || # don't include ftp data sessions
("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
return; return;
# If no protocol was detected, wait a short # If no protocol was detected, wait a short
# time before attempting to log in case a protocol is detected # time before attempting to log in case a protocol is detected
# on another connection. # on another connection.
if ( |c$service| == 0 ) if ( |c$service| == 0 )
schedule 2mins { log_it(network_time(), id$resp_h, id$resp_p, c$service) }; schedule 5min { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
else else
event log_it(network_time(), id$resp_h, id$resp_p, c$service); event log_it(network_time(), id$resp_h, id$resp_p, c$service);
} }