Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/johanna/bit-1695'

Browse source 
* origin/topic/johanna/bit-1695:
  Normalize http host in seen script.
This commit is contained in:
Seth Hall 2016-10-02 17:38:31 -04:00
commit ddb905408f
3 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.5-beta-35 | 2016-10-02 17:38:31 -0400
* Normalize http host in seen script. (Johanna Amann)
2.5-beta-33 | 2016-10-02 14:42:22 -0400 2.5-beta-33 | 2016-10-02 14:42:22 -0400
* Handle removing non-existent intel items. (Jan Grashoefer) * Handle removing non-existent intel items. (Jan Grashoefer)

2
VERSION
View file

@ -1 +1 @@
2.5-beta-33 2.5-beta-35

10
scripts/policy/frameworks/intel/seen/http-headers.bro
View file

@ -6,16 +6,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
{ {
if ( is_orig ) if ( is_orig )
{ {
switch ( name ) switch ( name )
{ {
case "HOST": case "HOST":
if ( is_valid_ip(value) ) # The split is done to remove the occasional port value that shows up here (see also base script)
Intel::seen([$host=to_addr(value), local host = split_string1(value, /:/)[0];
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR, $indicator_type=Intel::ADDR,
$conn=c, $conn=c,
$where=HTTP::IN_HOST_HEADER]); $where=HTTP::IN_HOST_HEADER]);
else else
Intel::seen([$indicator=value, Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN, $indicator_type=Intel::DOMAIN,
$conn=c, $conn=c,
$where=HTTP::IN_HOST_HEADER]); $where=HTTP::IN_HOST_HEADER]);