dpd: Replace negated service fmt() magic with dedicated field

...the only known cases where the `-` for `connection$service` was handled is to skip/ignore these analyzers. Slight suspicion that join_string_set() should maybe become a bif now determine_service() runs once for each connection. Closes #2388
2025-10-02 14:48:21 +00:00 · 2022-09-05 18:49:42 +02:00 · 2022-09-05 18:49:42 +02:00 · 31aeb58e10
commit 31aeb58e10
parent 20226f084b
6 changed files with 320 additions and 325 deletions
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -6,6 +6,7 @@
 ##! the destination port being the ICMP message code.

@load base/utils/site
+@load base/utils/strings

 module Conn;

@ -225,14 +226,7 @@ function conn_state(c: connection, trans: transport_proto): string

 function determine_service(c: connection): string
 	{
-	local service = "";
-	for ( s in c$service )
-		{
-		if ( sub_bytes(s, 0, 1) != "-" )
-			service = service == "" ? s : cat(service, ",", s);
-		}
-
-	return to_lower(service);
+	return to_lower(join_string_set(c$service, ","));
 	}

 ## Fill out the c$conn record for logging