Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/infallible-analyzer-violation'

Browse source 
* origin/infallible-analyzer-violation:
  Remove use of fallible `get_conn_transport_proto` in `analyzer_violation`.
This commit is contained in:
Johanna Amann 2022-07-19 12:57:11 +01:00
commit b27c114d68
3 changed files with 17 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
CHANGES
View file

@ -1,3 +1,18 @@
5.1.0-dev.273 | 2022-07-19 12:57:11 +0100
* Remove use of fallible `get_conn_transport_proto` in `analyzer_violation`. (Benjamin Bannier, Corelight)
When setting up the DPD info we previously would get the
`transport_proto` for the connection with `get_conn_transport_proto`.
This function takes a `conn_id` and would fail fatally if the connection
for the given ID was unknown. It seems it was possible to run into such
scenarios when the `analyzer_violation` event was processed after the
connection had been cleaned up.
We now get the `transport_proto` directly from the ports in the
`connection` passed into `analyzer_violation` via
`get_port_transport_proto` which cannot fail.
5.1.0-dev.271 | 2022-07-19 12:01:41 +0200 5.1.0-dev.271 | 2022-07-19 12:01:41 +0200
* GH-2276: Raise smb2_file_delete for CREATE with * GH-2276: Raise smb2_file_delete for CREATE with

2
VERSION
View file

@ -1 +1 @@
5.1.0-dev.271 5.1.0-dev.273

2
scripts/base/frameworks/dpd/main.zeek
View file

@ -79,7 +79,7 @@ event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
info$ts=network_time(); info$ts=network_time();
info$uid=c$uid; info$uid=c$uid;
info$id=c$id; info$id=c$id;
info$proto=get_conn_transport_proto(c$id); info$proto=get_port_transport_proto(c$id$orig_p);
info$analyzer=analyzer; info$analyzer=analyzer;
info$failure_reason=reason; info$failure_reason=reason;
c$dpd = info; c$dpd = info;