From 780aae8e51d6c2bb8b7f2a91877a2324a727d1c1 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Thu, 25 Jul 2019 16:58:52 +0200
Subject: [PATCH] remove empty services and include udp active connections when
 logging in connection_state_remove

---
 scripts/policy/protocols/conn/known-services.zeek | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek
index 24774586dc..7ebec4d83a 100644
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@@ -210,7 +210,12 @@ event connection_state_remove(c: connection) &priority=-5
 	if ( c$known_services_done )
 		return;
 
-	if ( c$resp$state != TCP_ESTABLISHED )
+	# log tcp connection if established or udp if active
+	if ( c$resp$state != TCP_ESTABLISHED && c$resp$state != UDP_ACTIVE)
+		return;
+
+	# don't log empty service
+	if ( |c$service| == 0 )
 		return;
 
 	known_services_done(c);