Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
known-services missing some DNS connections? #455
I believe some DNS are missing in the known-services log because of this if statement:
in the script known-services.zeek. The above if statement is called sometimes after protocol confirmation and before the field c$resp$size is properly filled some time later for each connection. I attach a couple of pcap files where the problem occurs.
I am not sure there is an easy fix for this. I doubt trying to fill c$resp$size earlier in a connection lifetime is the right way to go. Alternatively, one can log known-services for DNS only when the connection ends (using the event connection_state_remove), but in this way it would be logged quite later...