From 1f7f42daeab33cbee218b9251427d1e7372872a1 Mon Sep 17 00:00:00 2001 From: Mauro Palumbo Date: Wed, 31 Jul 2019 17:07:10 +0200 Subject: [PATCH] drop services starting with - --- scripts/policy/protocols/conn/known-services.zeek | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek index 8cdc474864..8b55163703 100644 --- a/scripts/policy/protocols/conn/known-services.zeek +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -223,16 +223,10 @@ function known_services_done(c: connection) return; } - # TODO: this is a temporary patch, because sometimes in c$service the protocol name is written with "-" - # at the beginning. This comes from the analyzers (I've seen it for HTTP and SSL), but causes problems - # when checking for known_services on triplets (host, port, services). The service starting with "-" (i.e. -HTTP) is - # reconized as different from the normal one (HTTP). - # It would be better to correct the analyzers some time later... + # Drop services starting with "-" local tempservs : set[string]; for (s in c$service) - if ( s[0] == "-" ) - add tempservs[s[1:]]; - else + if ( s[0] != "-" ) add tempservs[s]; local info = ServicesInfo($ts = network_time(), $host = id$resp_h,