Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

problem: gridftp threshold is being applied to all connections

Browse source 
The bytes_threshold_crossed event in the gridftp analyzer is not first
checking to see if the connection passed the initial criteria.  This
causes the script to add the gridftp-data service to any connection that
crosses a threshold that is the same as or greater than the gridftp
size_threshold.
This commit is contained in:
Justin Azoff 2017-09-21 10:50:26 -04:00
parent 8403fd9f94
commit 6b864d5dd2
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/ftp/gridftp.bro
View file

@ -74,6 +74,8 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is
{ {
if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time ) if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time )
return; return;
if ( ! data_channel_initial_criteria(c) )
return;
add c$service["gridftp-data"]; add c$service["gridftp-data"];
event GridFTP::data_channel_detected(c); event GridFTP::data_channel_detected(c);