[Zeek] known services
Justin Azoff
justin at corelight.com
Mon Jul 8 09:02:00 PDT 2019
On Mon, Jul 8, 2019 at 6:27 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
> I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it’s not clear to me why this happens only for some combinations of multiple protocols.
Some connections are decoded as multiple protocols. Something like a
SMTP connection that runs STARTTLS and turns into SSL. This will end
up in the conn log as smtp,ssl and also show up in known services as
smtp,ssl. The problem is that services are tracked by ip+port,
instead of ip+port+service, so whatever the protocol was on the first
seen connection is the one that gets logged. This means that if the
first seen connection is just 'smtp', it will get logged as 'smtp' and
then further 'smtp,ssl' connections will not get logged.
I had an earlier patch to update the service tracking to include the
service, it just needs to be updated for 2.6 and tested.
--
Justin
More information about the Zeek
mailing list