mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
f3f593c523
This seems to be an age-old bug. Reported by mchen on discourse [1]. The TCPSessionAdapter decides in AddExtraAnalyzers() whether to enable reassembly or not. When dpd_reassemble_first_packets is F, this boils down to ! GetChildren().empty(). The intention being that if any analyzers have been added to the connection based on known ports, reassembly is to be enabled. However, GetChildren() does not take into account new_children and so ! GetChildren().empty() is always false here and reassembly solely based on dpd_reassemble_first_packets=F (or the tcp_content... options). Ouch. Call AppendNewChildren() before AddExtraAnalyzers() as a fix. Without this, the new test does not produce an http.log and service "http" isn't in conn.log. [1] https://community.zeek.org/t/how-to-activate-an-application-layer-analyzer-when-signature-dpd-reassemble-first-packets-is-off/6763 |
||
|---|---|---|
| .. | ||
| fin-retransmit.zeek | ||
| large-file-reassembly.zeek | ||
| miss-end-data.zeek | ||
| missing-syn.zeek | ||
| options.zeek | ||
| quantum-insert.zeek | ||
| reassembly-known-ports.zeek | ||
| rst-after-syn.zeek | ||
| rxmit-history.zeek | ||
| tcp-dups.zeek | ||
| truncated-header.zeek | ||