Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek

* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek: improve logging with broker store drop services starting with - remove service from key for Cluster::publish_hrw remove check for empty services update tests order list of services in store key remove repeated services in logs if already seen add multiprotocol known_services when Known::use_service_store = T remove hyphen in front of some services (for example -HTTP, -SSL) In some cases, there is an hyphen before the protocol name in the field connection$service. This can cause problems in known_services and is removed here. It originates probably in some analyzer where it would be better removed in the future. add multiprotocol known_services when Known::use_service_store = F Changes during merge: * whitespace * add unit test
2025-10-02 06:38:20 +00:00 · 2019-08-09 10:43:28 -07:00 · 2019-08-09 10:43:28 -07:00 · bf9b983f00
commit bf9b983f00
parent a68c9f6b71 e206347d1a
10 changed files with 119 additions and 30 deletions
--- a/7
+++ b/7
@ -1,4 +1,11 @@
 3.1.0-dev.18 | 2019-08-09 10:43:28 -0700
  * GH-419: improve multi-protocol logging in known_services.log (Mauro Palumbo)
    Previously, when multiple protocols were detected on a given addr/port
    pair, not all protocols were always logged.
 3.1.0-dev.7 | 2019-08-09 09:56:06 -0700
  * Remove empty services from known_services.log (Mauro Palumbo)
--- a/19
+++ b/19
@ -3,6 +3,25 @@ This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)
 Zeek 3.1.0
 ==========
 New Functionality
 -----------------
 Changed Functionality
 ---------------------
 - The key type of ``Known::service_store`` has changed to
  ``Known::AddrPortServTriplet`` and ``Known::services`` is now a table
  instead of just a set.
 Removed Functionality
 ---------------------
 Deprecated Functionality
 ------------------------
 Zeek 3.0.0
 ==========
--- a/2
+++ b/2
@ -1 +1 @@
-3.1.0-dev.7
+3.1.0-dev.18
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 1cd9867ca6c8ab73db1f2b665ec69332fe88734c
+Subproject commit 56019a5297cd5d167e0febc6b0b33a32a9dbe96e
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@ -37,13 +37,14 @@ export {
 	## See :zeek:type:`Host` for possible choices.
 	option service_tracking = LOCAL_HOSTS;
-	type AddrPortPair: record {
+	type AddrPortServTriplet: record {
 		host: addr;
 		p: port;
 		serv: string;
 	};
 	## Holds the set of all known services.  Keys in the store are
-	## :zeek:type:`Known::AddrPortPair` and their associated value is
+	## :zeek:type:`Known::AddrPortServTriplet` and their associated value is
 	## always the boolean value of "true".
 	global service_store: Cluster::StoreInfo;
@ -62,11 +63,11 @@ export {
 	## of duplicates, but can also be inspected by other scripts for
 	## different purposes.
 	##
-	## In cluster operation, this set is uniformly distributed across
+	## In cluster operation, this table is uniformly distributed across
 	## proxy nodes.
 	##
-	## This set is automatically populated and shouldn't be directly modified.
+	## This table is automatically populated and shouldn't be directly modified.
-	global services: set[addr, port] &create_expire=1day;
+	global services: table[addr, port] of set[string] &create_expire=1day;
 	## Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
 	## record as it is sent on to the logging framework.
@ -79,6 +80,20 @@ redef record connection += {
 	known_services_done: bool &default=F;
 };
 # Check if the triplet (host,port_num,service) is already in Known::services
 function check(info: ServicesInfo) : bool
 	{
 	if ( [info$host, info$port_num] !in Known::services )
 		return F;
 	for ( s in info$service )
 		{
 		if ( s !in Known::services[info$host, info$port_num] )
 			return F;
 		}
 	return T;
 	}
 event zeek_init()
 	{
@ -89,28 +104,34 @@ event zeek_init()
 	}
 event service_info_commit(info: ServicesInfo)
 	{
 	if ( ! Known::use_service_store )
 		return;
-	local key = AddrPortPair($host = info$host, $p = info$port_num);
+	local tempservs = info$service;
-	when ( local r = Broker::put_unique(Known::service_store$store, key,
+	for ( s in tempservs )
 	                                    T, Known::service_store_expiry) )
 		{
-		if ( r$status == Broker::SUCCESS )
+		local key = AddrPortServTriplet($host = info$host, $p = info$port_num, $serv = s);
 		when ( local r = Broker::put_unique(Known::service_store$store, key,
 		                                    T, Known::service_store_expiry) )
 			{
-			if ( r$result as bool )
+			if ( r$status == Broker::SUCCESS )
-				Log::write(Known::SERVICES_LOG, info);
+				{
 				if ( r$result as bool ) {
 					info$service = set(s);	# log one service at the time if multiservice
 					Log::write(Known::SERVICES_LOG, info);
 					}
 				}
 			else
 				Reporter::error(fmt("%s: data store put_unique failure",
 				                    Known::service_store_name));
 			}
 		timeout Known::service_store_timeout
 			{
 			Log::write(Known::SERVICES_LOG, info);
 			}
 		else
 			Reporter::error(fmt("%s: data store put_unique failure",
 			                    Known::service_store_name));
 		}
 	timeout Known::service_store_timeout
 		{
 		Log::write(Known::SERVICES_LOG, info);
 		}
 	}
@ -119,14 +140,32 @@ event known_service_add(info: ServicesInfo)
 	if ( Known::use_service_store )
 		return;
-	if ( [info$host, info$port_num] in Known::services )
+	if ( check(info) )
 		return;
-	add Known::services[info$host, info$port_num];
+	if ( [info$host, info$port_num] !in Known::services )
 		Known::services[info$host, info$port_num] = set();
 	 # service to log can be a subset of info$service if some were already seen
 	local info_to_log: ServicesInfo;
 	info_to_log$ts = info$ts;
 	info_to_log$host = info$host;
 	info_to_log$port_num = info$port_num;
 	info_to_log$port_proto = info$port_proto;
 	info_to_log$service = set();
 	for ( s in info$service )
 		{
 		if ( s !in Known::services[info$host, info$port_num] )
 			{
 			add Known::services[info$host, info$port_num][s];
 			add info_to_log$service[s];
 			}
 		}
 	@if ( ! Cluster::is_enabled() ||
 	      Cluster::local_node_type() == Cluster::PROXY )
-		Log::write(Known::SERVICES_LOG, info);
+		Log::write(Known::SERVICES_LOG, info_to_log);
 	@endif
 	}
@ -139,7 +178,7 @@ event Cluster::node_up(name: string, id: string)
 		return;
 	# Drop local suppression cache on workers to force HRW key repartitioning.
-	Known::services = set();
+	Known::services = table();
 	}
 event Cluster::node_down(name: string, id: string)
@ -151,7 +190,7 @@ event Cluster::node_down(name: string, id: string)
 		return;
 	# Drop local suppression cache on workers to force HRW key repartitioning.
-	Known::services = set();
+	Known::services = table();
 	}
 event service_info_commit(info: ServicesInfo)
@ -159,7 +198,7 @@ event service_info_commit(info: ServicesInfo)
 	if ( Known::use_service_store )
 		return;
-	if ( [info$host, info$port_num] in Known::services )
+	if ( check(info) )
 		return;
 	local key = cat(info$host, info$port_num);
@ -186,10 +225,16 @@ function known_services_done(c: connection)
 			return;
 		}
 	# Drop services starting with "-" (confirmed-but-then-violated protocol)
 	local tempservs: set[string];
 		for (s in c$service)
 			if ( s[0] != "-" )
 				add tempservs[s];
 	local info = ServicesInfo($ts = network_time(), $host = id$resp_h,
 	                          $port_num = id$resp_p,
 	                          $port_proto = get_port_transport_proto(id$resp_p),
-	                          $service = c$service);
+	                          $service = tempservs);
 	# If no protocol was detected, wait a short time before attempting to log
 	# in case a protocol is detected on another connection.
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services-multi/known_services.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services-multi/known_services.log
@ -0,0 +1,11 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	known_services
 #open	2019-08-09-17-38-17
 #fields	ts	host	port_num	port_proto	service
 #types	time	addr	port	enum	set[string]
 1455718916.856316	192.168.2.230	443	tcp	SSH
 1455718922.796688	192.168.2.230	443	tcp	SSL
 #close	2019-08-09-17-38-18
--- a/testing/btest/Traces/ssl-and-ssh-using-sslh.trace
+++ b/testing/btest/Traces/ssl-and-ssh-using-sslh.trace
--- a/testing/btest/scripts/policy/protocols/conn/known-services-multi.zeek
+++ b/testing/btest/scripts/policy/protocols/conn/known-services-multi.zeek
@ -0,0 +1,7 @@
 # A test case for when more than a single service is detected for a given
 # (addr, port) pair.
 # @TEST-EXEC: zeek -C -r $TRACES/ssl-and-ssh-using-sslh.trace %INPUT "Known::service_tracking = ALL_HOSTS"
 # @TEST-EXEC: btest-diff known_services.log
@load protocols/conn/known-services
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-5e5a5e8dbb94215a7ca1def810f4bbe0322bc72e
+dc6a8f1de9f3b298406051282abcaa6e8f198695
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-b7cf5aa8224fb39baf7497d187f48165fad050da
+fdfcdffd464fd2114be03feacfd075d73a8b1ef9
		`@ -1 +1 @@`
			`Subproject commit 1cd9867ca6c8ab73db1f2b665ec69332fe88734c`				`Subproject commit 56019a5297cd5d167e0febc6b0b33a32a9dbe96e`
`@ -1 +1 @@`
	`5e5a5e8dbb94215a7ca1def810f4bbe0322bc72e`	`dc6a8f1de9f3b298406051282abcaa6e8f198695`
`@ -1 +1 @@`
	`b7cf5aa8224fb39baf7497d187f48165fad050da`	`fdfcdffd464fd2114be03feacfd075d73a8b1ef9`