Some small fixes to further reduce SOCKS false positive logs.

2025-10-02 14:48:21 +00:00 · 2012-07-11 16:53:46 -04:00 · 2012-07-11 16:53:46 -04:00 · a44612788e
commit a44612788e
parent e3f6a467a4
2 changed files with 12 additions and 2 deletions
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@ -83,5 +83,8 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres

 event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
 	{
-	Log::write(SOCKS::LOG, c$socks);
+	# This will handle the case where the analyzer failed in some way and was removed.  We probably 
+	# don't want to log these connections.
+	if ( "SOCKS" in c$service )
+		Log::write(SOCKS::LOG, c$socks);
 	}
--- a/src/SOCKS.cc
+++ b/src/SOCKS.cc
@ -67,7 +67,14 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	else
 		{
-		interp->NewData(orig, data, data + len);
+		try
+			{
+			interp->NewData(orig, data, data + len);
+			}
+		catch ( const binpac::Exception& e )
+			{
+			ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+			}
 		}
 	}