Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

remove hyphen in front of some services (for example -HTTP, -SSL)

Browse source 
In some cases, there is an hyphen before the protocol name in the field
  connection$service. This can cause problems in known_services and
  is removed here. It originates probably in some analyzer where it
  would be better removed in the future.
This commit is contained in:
Mauro Palumbo 2019-07-25 16:50:03 +02:00
parent 9faabe9991
commit 98f8eb6317
1 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/policy/protocols/conn/known-services.zeek
View file

@ -212,10 +212,22 @@ function known_services_done(c: connection)
return; return;
} }
# TODO: this is a temporary patch, because sometimes in c$service the protocol name is written with "-"
# at the beginning. This comes from the analyzers (I've seen it for HTTP and SSL), but causes problems
# when checking for known_services on triplets (host, port, services). The service starting with "-" (i.e. -HTTP) is
# reconized as different from the normal one (HTTP).
# It would be better to correct the analyzers some time later...
local tempservs : set[string];
for (s in c$service)
if ( s[0] == "-" )
add tempservs[s[1:]];
else
add tempservs[s];
local info = ServicesInfo($ts = network_time(), $host = id$resp_h, local info = ServicesInfo($ts = network_time(), $host = id$resp_h,
$port_num = id$resp_p, $port_num = id$resp_p,
$port_proto = get_port_transport_proto(id$resp_p), $port_proto = get_port_transport_proto(id$resp_p),
$service = c$service); $service = tempservs);
# If no protocol was detected, wait a short time before attempting to log # If no protocol was detected, wait a short time before attempting to log
# in case a protocol is detected on another connection. # in case a protocol is detected on another connection.