Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/frameworks/notice
History
Arne Welzel af1714853f http: Prevent request/response de-synchronization and unbounded state growth 
When http_reply events are received before http_request events, either
through faking traffic or possible re-ordering, it is possible to trigger
unbounded state growth due to later http_requests never being matched
again with responses.

Prevent this by synchronizing request/response counters when late
requests come in.

Also forcefully flush pending requests when http_replies are never
observed either due to the analyzer having been disabled or because
half-duplex traffic.

Fixes #1705
2023-08-28 15:02:58 +02:00
..
actions Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'" 2023-05-31 09:20:33 +02:00
__load__.zeek GH-379: move catch-and-release and unified2 scripts to policy/ 2019-06-05 13:33:45 -07:00
main.zeek Remove icmp_conn leftovers 2023-07-04 17:57:20 +02:00
README More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
weird.zeek http: Prevent request/response de-synchronization and unbounded state growth 2023-08-28 15:02:58 +02:00

README 

The notice framework enables Zeek to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable.  This decoupling of detection and reporting allows
Zeek to be customized to the different needs that sites have.