[Zeek] R: known services

Palumbo Mauro mauro.palumbo at aizoon.it
Tue Jul 9 00:30:32 PDT 2019


Ok, thanks. Are you planning to release the patch soon? 

-----Messaggio originale-----
Da: Justin Azoff [mailto:justin at corelight.com] 
Inviato: lunedì 8 luglio 2019 18:02
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] known services

On Mon, Jul 8, 2019 at 6:27 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
>    I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it’s not clear to me why this happens only for some combinations of multiple protocols.

Some connections are decoded as multiple protocols.  Something like a SMTP connection that runs STARTTLS and turns into SSL.  This will end up in the conn log as smtp,ssl and also show up in known services as smtp,ssl.  The problem is that services are tracked by ip+port, instead of ip+port+service, so whatever the protocol was on the first seen connection is the one that gets logged.  This means that if the first seen connection is just 'smtp', it will get logged as 'smtp' and then further 'smtp,ssl' connections will not get logged.

I had an earlier patch to update the service tracking to include the service, it just needs to be updated for 2.6 and tested.



--
Justin



More information about the Zeek mailing list