mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
42bf41aca1
In using the corelight/bro-xor-exe-plugin (https://github.com/corelight/bro-xor-exe-plugin) I noticed this error when running the PCAP trace file in its tests directory: 1428602842.525435 expression error in /opt/zeek/share/zeek/policy/protocols/ssl/log-hostcerts-only.zeek, line 44: field value missing (X509::f$conns) Examining log-hostcerts-only.zeek, I saw that although f$conns is being checked for length, it's not being checked to see if it exists first. This commit changes "if ( |f$conns| != 1 )" to "if (( ! f?$conns ) || ( |f$conns| != 1 ))" so that the script returns if there is no f$conns field. In my local testing, this seems to fix the error. My testing was being done with v3.0.5, but I think this patch can be applied to both the 3.0.x and 3.1.x branches. |
||
|---|---|---|
| .. | ||
| conn | ||
| dhcp | ||
| dns | ||
| ftp | ||
| http | ||
| krb | ||
| modbus | ||
| mqtt | ||
| mysql | ||
| rdp | ||
| smb | ||
| smtp | ||
| ssh | ||
| ssl | ||