mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/robin/filtered-trace'
* origin/topic/robin/filtered-trace: Tweak find-filtered-trace to not flag traces if they have non-TCP traffic.
This commit is contained in:
Jon Siwek
commit
b065b6ed61
7 changed files with 15 additions and 2 deletions
4
CHANGES
4
CHANGES
|
|
@ -1,4 +1,8 @@
|
|||
|
||||
3.3.0-dev.352 | 2020-09-25 15:09:29 -0700
|
||||
|
||||
* GH-160: change find-filtered-trace to ignore pcaps with any non-TCP traffic (Robin Sommer, Corelight)
|
||||
|
||||
3.3.0-dev.350 | 2020-09-25 14:37:58 -0700
|
||||
|
||||
* Add dce_rpc_request_stub and dce_rpc_response_stub events (Yacin Nadji, Corelight)
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
3.3.0-dev.350
|
||||
3.3.0-dev.352
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ function should_detect(): bool
|
|||
|
||||
global saw_tcp_conn_with_data: bool = F;
|
||||
global saw_a_tcp_conn: bool = F;
|
||||
global saw_a_non_tcp_conn: bool = F;
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
|
|
@ -42,7 +43,10 @@ event connection_state_remove(c: connection)
|
|||
return;
|
||||
|
||||
if ( ! is_tcp_port(c$id$orig_p) )
|
||||
{
|
||||
saw_a_non_tcp_conn = T;
|
||||
return;
|
||||
}
|
||||
|
||||
saw_a_tcp_conn = T;
|
||||
|
||||
|
|
@ -58,6 +62,9 @@ event zeek_done()
|
|||
if ( ! saw_a_tcp_conn )
|
||||
return;
|
||||
|
||||
if ( saw_a_non_tcp_conn )
|
||||
return;
|
||||
|
||||
if ( ! saw_tcp_conn_with_data )
|
||||
Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
1389719059.311687 warning in /home/jon/pro/zeek/zeek/scripts/base/misc/find-filtered-trace.zeek, line 62: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
|
||||
1389719059.311687 warning in /Users/robin/bro/topic/scripts/base/misc/find-filtered-trace.zeek, line 69: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
|
||||
|
|
|
|||
BIN
testing/btest/Traces/wikipedia-filtered-plus-udp.trace
Normal file
BIN
testing/btest/Traces/wikipedia-filtered-plus-udp.trace
Normal file
Binary file not shown.
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT >out1 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT "FilteredTraceDetection::enable=F" >out2 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia-filtered-plus-udp.trace %INPUT >out3 2>&1
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
|
||||
# @TEST-EXEC: btest-diff out2
|
||||
# @TEST-EXEC: btest-diff out3
|
||||
|
||||
@load base/misc/find-filtered-trace
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue