From e82a7455d720bb8049101ebe2e09d1f19db2b0f9 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 10 May 2023 17:45:50 +0200 Subject: [PATCH] policy/community-id: Do not use new_connection() Issue #3028 tracks how a flipped connections reset a connection's value including any state set during new_connection(). For the time being, update community-id functionality back to the original connection_state_remove() approach to avoid missing community_ids on flipped connections. --- scripts/policy/frameworks/notice/community-id.zeek | 11 ++--------- .../policy/protocols/conn/community-id-logging.zeek | 5 +---- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/scripts/policy/frameworks/notice/community-id.zeek b/scripts/policy/frameworks/notice/community-id.zeek index 5f16b64285..122d3adba5 100644 --- a/scripts/policy/frameworks/notice/community-id.zeek +++ b/scripts/policy/frameworks/notice/community-id.zeek @@ -22,14 +22,7 @@ export { hook Notice::notice(n: Notice::Info) { - if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn ) - { - local info = n$conn$conn; - # This is set during new_connection(), so it should - # always be there, but better safe than sorry. - if ( info?$community_id ) - n$community_id = info$community_id; - } + if ( CommunityID::Notice::enabled && n?$conn ) + n$community_id = community_id_v1(n$conn$id); } - @endif diff --git a/scripts/policy/protocols/conn/community-id-logging.zeek b/scripts/policy/protocols/conn/community-id-logging.zeek index 82bb9049a5..a08430727b 100644 --- a/scripts/policy/protocols/conn/community-id-logging.zeek +++ b/scripts/policy/protocols/conn/community-id-logging.zeek @@ -17,10 +17,7 @@ export { }; } -module Conn; - -event new_connection(c: connection) +event connection_state_remove(c: connection) { - Conn::set_conn(c, F); # likely first to access :-/ c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64); }