Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

DPD: failed services logging alignment

Browse source 
There were some special cases in which the failed-service-logging policy
script might log a service being removed that was not removed due to an
analyzer violation. This change should fix these cases.
This commit is contained in:
Johanna Amann 2025-02-06 14:20:53 +00:00
parent 0e9cf7b019
commit 66d07c31fa
1 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
scripts/policy/protocols/conn/failed-service-logging.zeek
View file

@ -4,6 +4,7 @@
##! that they were removed. ##! that they were removed.
@load base/protocols/conn @load base/protocols/conn
@load base/frameworks/analyzer/dpd
module Conn; module Conn;
@ -19,9 +20,16 @@ hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid:
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) ) if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return; return;
# Only add if previously confirmed # Only add if previously confirmed
if ( Analyzer::name(atype) !in c$service ) if ( Analyzer::name(atype) !in c$service || Analyzer::name(atype) !in c$service_violation )
return;
# Only log if dpd.zeek will disable
if ( atype in DPD::ignore_violations )
return;
local size = c$orig$size + c$resp$size;
if ( DPD::ignore_violations_after > 0 && size > DPD::ignore_violations_after )
return; return;
set_conn(c, F); set_conn(c, F);