From 66d07c31fabefd72f5bd5c4c12ac4cfcc545c15f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 6 Feb 2025 14:20:53 +0000
Subject: [PATCH] DPD: failed services logging alignment

There were some special cases in which the failed-service-logging policy
script might log a service being removed that was not removed due to an
analyzer violation. This change should fix these cases.
---
 .../protocols/conn/failed-service-logging.zeek       | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/conn/failed-service-logging.zeek b/scripts/policy/protocols/conn/failed-service-logging.zeek
index 291b44de19..f86fcd38ca 100644
--- a/scripts/policy/protocols/conn/failed-service-logging.zeek
+++ b/scripts/policy/protocols/conn/failed-service-logging.zeek
@@ -4,6 +4,7 @@
 ##! that they were removed.
 
 @load base/protocols/conn
+@load base/frameworks/analyzer/dpd
 
 module Conn;
 
@@ -19,9 +20,16 @@ hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid:
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;
 
-
 	# Only add if previously confirmed
-	if ( Analyzer::name(atype) !in c$service )
+	if ( Analyzer::name(atype) !in c$service || Analyzer::name(atype) !in c$service_violation )
+		return;
+
+	# Only log if dpd.zeek will disable
+	if ( atype in DPD::ignore_violations )
+		return;
+
+	local size = c$orig$size + c$resp$size;
+	if ( DPD::ignore_violations_after > 0 && size > DPD::ignore_violations_after )
 		return;
 
 	set_conn(c, F);