Merge pull request #2 from DynamiteAI/bug/field-exist-checks

Bug/field exist checks

Author: pmphry

scripts/Corelight/CommunityID/__load__.zeek

@@ -1,7 +1,6 @@
 @ifdef (CommunityID::hash_conn)
 @load ./connection
 @load ./dce_rpc
-#@load ./dhcp
 @load ./dnp3
 @load ./dns
 @load ./ftp
@@ -23,5 +22,4 @@
 @load ./ssh
 @load ./ssl
 @load ./syslog
-@load ./tunnel
 @endif

scripts/Corelight/CommunityID/dce_rpc.zeek

@@ -7,14 +7,20 @@ export {
 
 event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
     {
-    if ( ! c$dce_rpc?$community_id && c?$community_id )
-        c$dce_rpc$community_id = c$community_id;
+    if ( c?$dce_rpc )
+        {
+        if ( ! c$dce_rpc?$community_id && c?$community_id )
+            c$dce_rpc$community_id = c$community_id;
+        }
     }
 
 event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
     {
-    if ( ! c$dce_rpc?$community_id && c?$community_id )
-        c$dce_rpc$community_id = c$community_id;
+    if ( c?$dce_rpc )
+        {
+        if ( ! c$dce_rpc?$community_id && c?$community_id )
+            c$dce_rpc$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/dhcp.zeek

@@ -8,14 +8,20 @@ export {
 
 event dnp3_application_request_header(c: connection, is_orig: bool, application: count, fc: count)
     {
-    if ( ! c$dnp3?$community_id && c?$community_id )
-        c$dnp3$community_id = c$community_id;
+    if ( c?$dnp3 )
+        {
+        if ( ! c$dnp3?$community_id && c?$community_id )
+            c$dnp3$community_id = c$community_id;
+        }
     }
 
 event dnp3_application_response_header(c: connection, is_orig: bool, application: count, fc: count, iin: count)
     {
-    if ( ! c$dnp3?$community_id && c?$community_id )
-        c$dnp3$community_id = c$community_id;
+    if ( c?$dnp3 )
+        {
+        if ( ! c$dnp3?$community_id && c?$community_id )
+            c$dnp3$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/dnp3.zeek

@@ -9,15 +9,20 @@ export {
 
 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=-5
     {
-    # new_connection is not being triggered for UDP, so we need another plan 
-    if (! c$dns?$community_id && c?$community_id)
-        c$dns$community_id = c$community_id;
+    if ( c?$dns ) 
+        {
+        if (! c$dns?$community_id && c?$community_id)
+            c$dns$community_id = c$community_id;
+        }
     }
 
 event dns_end(c: connection, msg: dns_msg)
     {
-    if (! c$dns?$community_id && c?$community_id)
-        c$dns$community_id = c$community_id;
+    if ( c?$dns ) 
+        {
+        if (! c$dns?$community_id && c?$community_id)
+            c$dns$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/dns.zeek

@@ -8,14 +8,20 @@ export {
 
 event ftp_request(c: connection, command: string, arg: string)
     {
-    if ( ! c$ftp?$community_id && c?$community_id )
-        c$ftp$community_id = c$community_id;
+    if ( c?$ftp )
+        {
+        if ( ! c$ftp?$community_id && c?$community_id )
+            c$ftp$community_id = c$community_id;
+        }
     }
 
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
     {
-    if ( ! c$ftp?$community_id && c?$community_id )
-        c$ftp$community_id = c$community_id;
+    if ( c?$ftp )
+        {
+        if ( ! c$ftp?$community_id && c?$community_id )
+            c$ftp$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/ftp.zeek

@@ -9,14 +9,20 @@ export {
 
 event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
     {
-    if (! c$http?$community_id && c?$community_id)
-        c$http$community_id = c$community_id;
+    if ( c?$http )
+        {
+        if (! c$http?$community_id && c?$community_id)
+            c$http$community_id = c$community_id;
+        }
     }
 
 event http_reply(c: connection, version: string, code: count, reason: string)
     {
-    if (! c$http?$community_id && c?$community_id)
-        c$http$community_id = c$community_id;
+    if ( c?$http )
+        {
+        if (! c$http?$community_id && c?$community_id)
+            c$http$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/http.zeek

@@ -7,14 +7,20 @@ export {
 }
 event irc_request(c: connection, is_orig: bool, prefix: string, command: string, arguments: string)
     {
-    if ( ! c$irc?$community_id && c?$community_id )
-        c$irc$community_id = c$community_id;
+    if ( c?$dns )
+        {
+        if ( ! c$irc?$community_id && c?$community_id )
+            c$irc$community_id = c$community_id;
+        }
     }
 
 event irc_reply(c: connection, is_orig: bool, prefix: string, code: count, params: string)
     {
-    if ( ! c$irc?$community_id && c?$community_id )
-        c$irc$community_id = c$community_id;
+    if ( c?$dns )
+        {
+        if ( ! c$irc?$community_id && c?$community_id )
+            c$irc$community_id = c$community_id;
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/irc.zeek

@@ -8,38 +8,56 @@ export {
 
 event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;  
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 event krb_ap_response(c: connection)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 event krb_as_request(c: connection, msg: KRB::KDC_Request)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 event krb_as_response(c: connection, msg: KRB::KDC_Response)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 event krb_tgs_request(c: connection, msg: KRB::KDC_Request)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 event krb_tgs_response(c: connection, msg: KRB::KDC_Response)
     {
-    if ( ! c$krb?$community_id && c?$community_id )
-        c$krb$community_id = c$community_id;
+    if ( c?$krb )
+        {
+        if ( ! c$krb?$community_id && c?$community_id )
+            c$krb$community_id = c$community_id;  
+        }
     }
 
 @endif

scripts/Corelight/CommunityID/krb.zeek

@@ -7,7 +7,10 @@ export {
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
     {
-    if ( ! c$modbus?$community_id && c?$community_id )
-        c$modbus$community_id = c$community_id;
+    if ( c?$modbus )
+        {
+        if ( ! c$modbus?$community_id && c?$community_id )
+            c$modbus$community_id = c$community_id;
+        }
     }
 @endif