diff --git a/CHANGES b/CHANGES index 6c7a6a3c98..3502b65115 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +3.3.0-dev.352 | 2020-09-25 15:09:29 -0700 + + * GH-160: change find-filtered-trace to ignore pcaps with any non-TCP traffic (Robin Sommer, Corelight) + 3.3.0-dev.350 | 2020-09-25 14:37:58 -0700 * Add dce_rpc_request_stub and dce_rpc_response_stub events (Yacin Nadji, Corelight) diff --git a/VERSION b/VERSION index 5dc45fe664..e4115fd4c7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.3.0-dev.350 +3.3.0-dev.352 diff --git a/scripts/base/misc/find-filtered-trace.zeek b/scripts/base/misc/find-filtered-trace.zeek index 504b58916e..7d25e70a6f 100644 --- a/scripts/base/misc/find-filtered-trace.zeek +++ b/scripts/base/misc/find-filtered-trace.zeek @@ -32,6 +32,7 @@ function should_detect(): bool global saw_tcp_conn_with_data: bool = F; global saw_a_tcp_conn: bool = F; +global saw_a_non_tcp_conn: bool = F; event connection_state_remove(c: connection) { @@ -42,7 +43,10 @@ event connection_state_remove(c: connection) return; if ( ! is_tcp_port(c$id$orig_p) ) + { + saw_a_non_tcp_conn = T; return; + } saw_a_tcp_conn = T; @@ -58,6 +62,9 @@ event zeek_done() if ( ! saw_a_tcp_conn ) return; + if ( saw_a_non_tcp_conn ) + return; + if ( ! saw_tcp_conn_with_data ) Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired."); } diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 index 6452fb1883..ce9f0cecc7 100644 --- a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 +++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 @@ -1 +1 @@ -1389719059.311687 warning in /home/jon/pro/zeek/zeek/scripts/base/misc/find-filtered-trace.zeek, line 62: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. +1389719059.311687 warning in /Users/robin/bro/topic/scripts/base/misc/find-filtered-trace.zeek, line 69: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out3 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out3 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Traces/wikipedia-filtered-plus-udp.trace b/testing/btest/Traces/wikipedia-filtered-plus-udp.trace new file mode 100644 index 0000000000..a35da062d5 Binary files /dev/null and b/testing/btest/Traces/wikipedia-filtered-plus-udp.trace differ diff --git a/testing/btest/scripts/base/misc/find-filtered-trace.test b/testing/btest/scripts/base/misc/find-filtered-trace.test index 65a7f2ec5a..1875f4de0e 100644 --- a/testing/btest/scripts/base/misc/find-filtered-trace.test +++ b/testing/btest/scripts/base/misc/find-filtered-trace.test @@ -1,6 +1,8 @@ # @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT >out1 2>&1 # @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT "FilteredTraceDetection::enable=F" >out2 2>&1 +# @TEST-EXEC: zeek -b -r $TRACES/wikipedia-filtered-plus-udp.trace %INPUT >out3 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1 # @TEST-EXEC: btest-diff out2 +# @TEST-EXEC: btest-diff out3 @load base/misc/find-filtered-trace