From 5a3d16e16f358750da5a152cec8e451bbdb05d0e Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 12 Nov 2024 12:54:47 -0700
Subject: [PATCH] Use new_connection instead of connection_state_remove

---
 scripts/policy/protocols/conn/ip-proto-name-logging.zeek | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
index 6fdb8a0021..1f8cb86771 100644
--- a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
+++ b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
@@ -160,8 +160,10 @@ global protocol_names: table[count] of string = {
 	[145] = "nsh"
 };
 
-event connection_state_remove(c: connection) {
-	if ( c$conn$ip_proto in protocol_names ) {
+event new_connection(c: connection) &priority=5 {
+	# In case we're the first access
+	Conn::set_conn(c, F);
+	if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names ) {
 		c$conn$ip_proto_name = protocol_names[c$conn$ip_proto];
 	} else {
 		c$conn$ip_proto_name = "unknown";