-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP analyzer does not produce any log for traffic on non-standard port #88
Comments
The issue seems to be due to how Zeek's builtin |
When specifying `replaces` in the analyzer glue we currently deactivate the replaced analyzer before activating the replacement. We do however not update the names referenced in DPD signatures, see e.g., zeek/spicy-plugin#69. In order to activate our replacement analyzers in the same scenarios builtin analyzers would have been activated by DPD, this patch copies over the zeek-4.1.1 signatures of all replacement analyzers where the replaced analyzers could have been activated with DPD in Zeek (HTTP and DHCP). Closes #88.
This sounds like a bug (or oversight) then: the |
Ah, I see that we pass |
@mmguero reported the following issue on Slack:
I looked into this and was able to reproduce the issue with a zeek-4.1.1 from Homebrew, and the most recent releases of spicy, spicy-plugin and spicy-analyzers. When I rebuild a zeek-4.1.1 from source (in
DEBUG
mode for-B dpd
support), the issue went away.We should look into this. It might be that e.g., Zeek-builtin DPDP for HTTP doesn't trigger for our HTTP analyzer which claims to
replaces HTTP
.The text was updated successfully, but these errors were encountered: