Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek

Browse source 
* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek:
  improve logging with broker store
  drop services starting with -
  remove service from key for Cluster::publish_hrw
  remove check for empty services
  update tests
  order list of services in store key
  remove repeated services in logs if already seen
  add multiprotocol known_services when Known::use_service_store = T
  remove hyphen in front of some services (for example -HTTP, -SSL)   In some cases, there is an hyphen before the protocol name in the field   connection$service. This can cause problems in known_services and   is removed here. It originates probably in some analyzer where it   would be better removed in the future.
  add multiprotocol known_services when Known::use_service_store = F

Changes during merge:
  * whitespace
  * add unit test
This commit is contained in:
Jon Siwek 2019-08-09 10:43:28 -07:00
commit bf9b983f00
10 changed files with 119 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

7
testing/btest/scripts/policy/protocols/conn/known-services-multi.zeek Normal file
View file

@ -0,0 +1,7 @@
# A test case for when more than a single service is detected for a given
# (addr, port) pair.
# @TEST-EXEC: zeek -C -r $TRACES/ssl-and-ssh-using-sslh.trace %INPUT "Known::service_tracking = ALL_HOSTS"
# @TEST-EXEC: btest-diff known_services.log
@load protocols/conn/known-services