Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/johanna/tls12-decryption

Browse source
This commit is contained in:
Johanna Amann 2022-01-11 11:04:20 +00:00
commit 304a06bb88
36 changed files with 208 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

5
scripts/base/protocols/http/main.zeek
View file

@ -263,8 +263,9 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
c$http$referrer = value;
else if ( name == "HOST" )
# The split is done to remove the occasional port value that shows up here.
c$http$host = split_string1(value, /:/)[0];
# Per #1844, we record the original host header, including any port
# specification if present.
c$http$host = value;
else if ( name == "RANGE" )
c$http$range_request = T;

4
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -9,8 +9,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
switch ( name )
{
case "HOST":
# The split is done to remove the occasional port value that shows up here (see also base script)
local host = split_string1(value, /:/)[0];
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,