Hi all,
we have a TLS (HTTPS) service running on port 8000/tcp. Zeek probably thinks there should be HTTP-traffic on that port (usually it is) and this results in thousands of these messages per hour:
analyzer_kind: protocol
analyzer_name: HTTP
cause: violation
failure_reason: not a http reply line
and
failure_reason: not a http request line
Is there a way to handle this? Unfortunately I cannot change the port number the service is listening on.
Thanks in advance!
Cheers, John
Hi John,
Sorry to take a while to follow up. You can suppress these log writes for your server by doing the following:
const server_addr = <your server IP here>;
const server_port = 8000/tcp;
hook Analyzer::Logging::log_policy(info: Analyzer::Logging::Info, id: Log::ID, filter: Log::Filter) {
if ( info?$id && info$id$resp_h == server_addr && info$id$resp_p == server_port )
break;
}
This defines a callback that Zeek invokes for any write to the analyzer.log, and when it spots an entry for your server at TCP port 8000 it suppresses the write by breaking from the hook.
This isn’t super clean because under the hood those warnings still trigger, but it’s straightforward. Unfortunately our mechanisms for surgically removing the analyzer from a given connection are a bit clunky. Zeek 7 will improve that situation.
If you’re comfortable excluding port 8000 on that server from your analysis entirely, you can also add an exclusion rule for the server to your BPF filter expression, so Zeek won’t see its traffic at all.
Best,
Christian
Thanks a lot! I’ll give it a try.
Regards, John