known services

Hi all,

I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it’s not clear to me why this happens only for some combinations of multiple protocols.

Besides, I noticed that the know-services script does not detect all DNS conns. I opened an issue on this #455.

Last a minor thing. In the script known-services.zeek, in the event connection_state_remove, there is an if statement (below) which is filtering all non-estabilshed tcp conns, but also all udp conns.

if ( c$resp$state != TCP_ESTABLISHED )


Despite this, everything works fine because all udp analyzers rise an event protocol_confirmation. Would it be better changing the if statement into something like:

if ( c$resp$state != TCP_ESTABLISHED && c$resp$state != UDP_ACTIVE )


In this way, if an udp analyzer does not rise the event protocol_confirmation, the connection will still be logged into known-services.

Any thoughts?



Some connections are decoded as multiple protocols. Something like a
SMTP connection that runs STARTTLS and turns into SSL. This will end
up in the conn log as smtp,ssl and also show up in known services as
smtp,ssl. The problem is that services are tracked by ip+port,
instead of ip+port+service, so whatever the protocol was on the first
seen connection is the one that gets logged. This means that if the
first seen connection is just 'smtp', it will get logged as 'smtp' and
then further 'smtp,ssl' connections will not get logged.

I had an earlier patch to update the service tracking to include the
service, it just needs to be updated for 2.6 and tested.

Ok, thanks. Are you planning to release the patch soon?

-----Messaggio originale-----

Hopefully.. it's not super complicated but making sure all of the edge
cases are tested properly is most of the work.