diff --git a/scripts/base/frameworks/analyzer/dpd.zeek b/scripts/base/frameworks/analyzer/dpd.zeek index 147643135a..91aeac3bfa 100644 --- a/scripts/base/frameworks/analyzer/dpd.zeek +++ b/scripts/base/frameworks/analyzer/dpd.zeek @@ -125,7 +125,7 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI # add "-service" to the list of services on removal due to violation, if analyzer was confirmed before if ( track_removed_services_in_connection && disabled && Analyzer::name(atype) in c$service ) { - local rname = fmt("-%s", Analyzer::name(atype)); + local rname = cat("-", Analyzer::name(atype)); if ( rname !in c$service ) add c$service[rname]; } diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 06f196043d..0185129199 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -27,13 +27,10 @@ export { id: conn_id &log; ## The transport layer protocol of the connection. proto: transport_proto &log; - ## The identification of the application protocol(s) being sent over - ## the connection. Can list more than one protocol separated with - ## colons. Protocols listed are in the order in which they are - ## confirmed. - ## This field can also contain a list of protocol analyzers that - ## raise violations prefixed with a "-" if the option - ## :zeek:see:`DPD::track_removed_services_in_connection` is set. + ## A comma-separated list of confirmed protocol(s). + ## With :zeek:see:DPD::track_removed_services_in_connection, the list + ## includes the same protocols prefixed with "-" to record that Zeek + ## dropped them due to parsing violations." service: string &log &optional; ## How long the connection lasted. ## diff --git a/scripts/policy/protocols/conn/failed-services.zeek b/scripts/policy/protocols/conn/service-violation-logging.zeek similarity index 100% rename from scripts/policy/protocols/conn/failed-services.zeek rename to scripts/policy/protocols/conn/service-violation-logging.zeek diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index 737c04c920..2e3083315e 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -98,7 +98,7 @@ @load misc/unknown-protocols.zeek @load protocols/conn/community-id-logging.zeek @load protocols/conn/disable-unknown-ip-proto-support.zeek -@load protocols/conn/failed-services.zeek +@load protocols/conn/service-violation-logging.zeek @load protocols/conn/ip-proto-name-logging.zeek @load protocols/conn/known-hosts.zeek @load protocols/conn/known-services.zeek diff --git a/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek b/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek index 9f12f11279..9dc69ad66a 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek +++ b/testing/btest/scripts/base/frameworks/analyzer/dpd-logging-configuration.zeek @@ -2,6 +2,6 @@ # @TEST-EXEC: zeek -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT # @TEST-EXEC: btest-diff conn.log -@load policy/protocols/conn/failed-services +@load policy/protocols/conn/service-violation-logging redef DPD::track_removed_services_in_connection = T; diff --git a/testing/external/scripts/testing-setup.zeek b/testing/external/scripts/testing-setup.zeek index bb3313ad41..b429adbb49 100644 --- a/testing/external/scripts/testing-setup.zeek +++ b/testing/external/scripts/testing-setup.zeek @@ -1,7 +1,7 @@ # Sets some testing specific options. @load external-ca-list -@load protocols/conn/failed-services +@load protocols/conn/service-violation-logging @ifdef ( SMTP::never_calc_md5 ) # MDD5s can depend on libmagic output.