Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Some small fixes to further reduce SOCKS false positive logs.

Browse source
This commit is contained in:
Seth Hall 2012-07-11 16:53:46 -04:00
parent e3f6a467a4
commit a44612788e
2 changed files with 12 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/protocols/socks/main.bro
View file

@ -83,5 +83,8 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5 event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
{ {
# This will handle the case where the analyzer failed in some way and was removed. We probably
# don't want to log these connections.
if ( "SOCKS" in c$service )
Log::write(SOCKS::LOG, c$socks); Log::write(SOCKS::LOG, c$socks);
} }

7
src/SOCKS.cc
View file

@ -66,9 +66,16 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
ForwardStream(len, data, orig); ForwardStream(len, data, orig);
} }
else else
{
try
{ {
interp->NewData(orig, data, data + len); interp->NewData(orig, data, data + len);
} }
catch ( const binpac::Exception& e )
{
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
} }
void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig) void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig)