Hi all,
I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it’s not clear to me why this happens only for some combinations of multiple protocols.
Besides, I noticed that the know-services script does not detect all DNS conns. I opened an issue on this #455.
Last a minor thing. In the script known-services.zeek, in the event connection_state_remove, there is an if statement (below) which is filtering all non-estabilshed tcp conns, but also all udp conns.
if ( c$resp$state != TCP_ESTABLISHED )
return;
Despite this, everything works fine because all udp analyzers rise an event protocol_confirmation. Would it be better changing the if statement into something like:
if ( c$resp$state != TCP_ESTABLISHED && c$resp$state != UDP_ACTIVE )
return;
In this way, if an udp analyzer does not rise the event protocol_confirmation, the connection will still be logged into known-services.
Any thoughts?
Thanks.
Mauro