{"id":419,"date":"2023-03-21T11:25:39","date_gmt":"2023-03-21T15:25:39","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=419"},"modified":"2023-03-21T11:26:26","modified_gmt":"2023-03-21T15:26:26","slug":"zeeks-suspend_processing-quirk-with-pcaps","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/21\/zeeks-suspend_processing-quirk-with-pcaps\/","title":{"rendered":"Zeek&#8217;s suspend_processing Quirk With PCAPs"},"content":{"rendered":"\n<p>In the comments of an earlier blog:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-drkeithjones-com wp-block-embed-drkeithjones-com\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"z4tPuLLJ6D\"><a href=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/11\/how-to-connect-zeek-to-python\/\">How To Connect Zeek To Python<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;How To Connect Zeek To Python&#8221; &#8212; DrKeithJones.com\" src=\"https:\/\/drkeithjones.com\/index.php\/2023\/03\/11\/how-to-connect-zeek-to-python\/embed\/#?secret=KntrCXIHF8#?secret=z4tPuLLJ6D\" data-secret=\"z4tPuLLJ6D\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>&#8230; we found an interesting situation.  Even when you call &#8220;suspend_processing&#8221; in zeek_init, like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>event zeek_init() &amp;priority=10\n{\n\tsuspend_processing();\n}\n\nevent new_connection(c: connection)\n{\n\tprint(\"NEW\"); \n}\nevent connection_state_remove(c: connection)\n{\n\tprint(\"REMOVE\"); \n}<\/code><\/pre>\n\n\n\n<p>&#8230; Zeek will still process the first packet.  The &#8220;new_connection&#8221; and &#8220;connection_state_remove&#8221; events will still fire for that first packet\/connection.  This is what the output looks like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ zeek -Cr ..\/dnp3_example.pcap .\/test.zeek\nprocessing suspended\nNEW\nPEERADDED\nREMOVE<\/code><\/pre>\n\n\n\n<p>&#8230; for the PCAP located here:<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/cisagov\/icsnpp-dnp3\/blob\/main\/tests\/traces\/dnp3_example.pcap\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/cisagov\/icsnpp-dnp3\/blob\/main\/tests\/traces\/dnp3_example.pcap<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the comments of an earlier blog: &#8230; we found an interesting situation. Even when you call &#8220;suspend_processing&#8221; in zeek_init, like this: &#8230; Zeek will still process the first packet. The &#8220;new_connection&#8221; and &#8220;connection_state_remove&#8221; events will still fire for that first packet\/connection. This is what the output looks like: &#8230; for the PCAP located here: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[91,24,61,4],"tags":[29,27],"class_list":["post-419","post","type-post","status-publish","format-standard","hentry","category-open-source","category-pcaps","category-tools","category-zeek","tag-pcaps","tag-zeek"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=419"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/419\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}