In the comments of an earlier blog:
… we found an interesting situation. Even when you call “suspend_processing” in zeek_init, like this:
event zeek_init() &priority=10
{
suspend_processing();
}
event new_connection(c: connection)
{
print("NEW");
}
event connection_state_remove(c: connection)
{
print("REMOVE");
}… Zeek will still process the first packet. The “new_connection” and “connection_state_remove” events will still fire for that first packet/connection. This is what the output looks like:
$ zeek -Cr ../dnp3_example.pcap ./test.zeek
processing suspended
NEW
PEERADDED
REMOVE… for the PCAP located here:
https://github.com/cisagov/icsnpp-dnp3/blob/main/tests/traces/dnp3_example.pcap
Leave a Reply