Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix misidentification of SOCKS traffic. Traffic that had a certain bytestring would get incorrectly identified as SOCKS. This seemed to happen a lot with DCE/RPC traffic.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-01-24 21:00:55 -05:00
parent 430cf311e9
commit 56acd99d15
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -64,6 +64,12 @@ refine connection SOCKS_Conn += {
bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
return false;
}
if ( ( ${request.command} == 0 ) || ( ${request.command} > 3 ) )
{
bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
bro_analyzer()->SetSkip(true);
return false;
}
RecordVal* sa = new RecordVal(socks_address);