Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Tweak find-filtered-trace to not flag traces if they have non-TCP

Browse source 
traffic.

Closes #160.
This commit is contained in:
Robin Sommer 2020-09-25 11:27:54 +00:00
parent ee5212c4a9
commit 1f6fc4415f
5 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/misc/find-filtered-trace.zeek
View file

@ -32,6 +32,7 @@ function should_detect(): bool
global saw_tcp_conn_with_data: bool = F;
global saw_a_tcp_conn: bool = F;
global saw_a_non_tcp_conn: bool = F;
event connection_state_remove(c: connection)
{
@ -42,7 +43,10 @@ event connection_state_remove(c: connection)
return;
if ( ! is_tcp_port(c$id$orig_p) )
{
saw_a_non_tcp_conn = T;
return;
}
saw_a_tcp_conn = T;
@ -58,6 +62,9 @@ event zeek_done()
if ( ! saw_a_tcp_conn )
return;
if ( saw_a_non_tcp_conn )
return;
if ( ! saw_tcp_conn_with_data )
Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
}