Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

check for the existance of f?$conns in file_sniff event in policy/protocols/ssl/log-hostcerts-only.zeek

Browse source 
In using the corelight/bro-xor-exe-plugin (https://github.com/corelight/bro-xor-exe-plugin) I noticed this error when running the PCAP trace file in its tests directory:

1428602842.525435 expression error in /opt/zeek/share/zeek/policy/protocols/ssl/log-hostcerts-only.zeek, line 44: field value missing (X509::f$conns)

Examining log-hostcerts-only.zeek, I saw that although f$conns is being checked for length, it's not being checked to see if it exists first.

This commit changes "if ( |f$conns| != 1 )" to "if (( ! f?$conns ) || ( |f$conns| != 1 ))" so that the script returns if there is no f$conns field.

In my local testing, this seems to fix the error. My testing was being done with v3.0.5, but I think this patch can be applied to both the 3.0.x and 3.1.x branches.
This commit is contained in:
SG 2020-04-16 10:19:59 -06:00
parent 991501a3d2
commit 42bf41aca1
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/policy/protocols/ssl/log-hostcerts-only.zeek
View file

@ -41,7 +41,7 @@ event zeek_init() &priority=2
event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
{
if ( |f$conns| != 1 )
if (( ! f?$conns ) || ( |f$conns| != 1 ))
return;
if ( ! f?$info || ! f$info?$mime_type )