From f293d5a852afff0cbdbbccb600b95c2a9aa9086d Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 6 May 2025 13:37:12 +0100 Subject: [PATCH] Fix policy/protocols/conn/failed-service-logging.zeek In GH-4422 it was pointed out that the protocols/conn/failed-service-logging.zeek policy script only works when `DPD::track_removed_services_in_connection=T` is set. This was caused by a logic error in the script. This commit fixes this logic error and introduces an additional test that checks that failed-service-logging works even when the option is not set to true. --- .../policy/protocols/conn/failed-service-logging.zeek | 2 +- .../conn.log | 11 +++++++++++ .../analyzer/dpd-logging-configuration.zeek | 4 ++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.dpd-logging-configuration-2/conn.log diff --git a/scripts/policy/protocols/conn/failed-service-logging.zeek b/scripts/policy/protocols/conn/failed-service-logging.zeek index f86fcd38ca..c55abea599 100644 --- a/scripts/policy/protocols/conn/failed-service-logging.zeek +++ b/scripts/policy/protocols/conn/failed-service-logging.zeek @@ -21,7 +21,7 @@ hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: return; # Only add if previously confirmed - if ( Analyzer::name(atype) !in c$service || Analyzer::name(atype) !in c$service_violation ) + if ( Analyzer::name(atype) !in c$service && Analyzer::name(atype) !in c$service_violation ) return; # Only log if dpd.zeek will disable diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.dpd-logging-configuration-2/conn.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.dpd-logging-configuration-2/conn.log new file mode 100644 index 0000000000..9bfe8e7d6c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.dpd-logging-configuration-2/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto failed_service +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 tcp - 9.891089 34 71 SF T T 0 ShAdDaFf 13 718 10 599 - 6 ftp +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek b/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek index 2f1914efa7..9a767bb774 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek +++ b/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek @@ -5,3 +5,7 @@ @load policy/protocols/conn/failed-service-logging redef DPD::track_removed_services_in_connection = T; + +# @TEST-START-NEXT + +@load policy/protocols/conn/failed-service-logging