Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

remove repeated services in logs if already seen

Browse source
This commit is contained in:
Mauro Palumbo 2019-07-29 17:48:29 +02:00
parent cc0f0e2f09
commit ddf2d2d8a9
1 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
scripts/policy/protocols/conn/known-services.zeek
View file

@ -87,9 +87,6 @@ function check(info: ServicesInfo) : bool
if ( [info$host, info$port_num] !in Known::services )
return F;
if ( |info$service| == 0 )
return T; # don't log empty service
for(s in info$service)
{
if ( s !in Known::services[info$host, info$port_num] )
@ -143,17 +140,25 @@ event known_service_add(info: ServicesInfo)
if([info$host, info$port_num] !in Known::services)
Known::services[info$host, info$port_num] = set();
local info_to_log : ServicesInfo; # service to log can be a subset of info$service if some were already seen
info_to_log$ts = info$ts;
info_to_log$host = info$host;
info_to_log$port_num = info$port_num;
info_to_log$port_proto = info$port_proto;
info_to_log$service = set();
for(s in info$service)
{
if ( s !in Known::services[info$host, info$port_num] )
{
add Known::services[info$host, info$port_num][s];
add info_to_log$service[s];
}
}
@if ( ! Cluster::is_enabled() ||
Cluster::local_node_type() == Cluster::PROXY )
Log::write(Known::SERVICES_LOG, info);
Log::write(Known::SERVICES_LOG, info_to_log);
@endif
}
@ -202,6 +207,10 @@ function known_services_done(c: connection)
if ( ! addr_matches_host(id$resp_h, service_tracking) )
return;
# don't log empty service
if ( |c$service| == 0 )
return;
if ( |c$service| == 1 )
{
if ( "ftp-data" in c$service )