Field Value Missing

[Cyb3r4rch3r]

Receiving this error:

{"ts":1607101524.112301,"level":"Reporter::ERROR","message":"field value missing (CallStrangerDetector::c$http$method)","location":"/opt/zeek/spool/installed-scripts-do-not-touch/site/packages/./callstranger-detector/./callstranger.zeek,
 line 37"}

Seemingly cause by the nested If statement in this block:

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) {
    if (c?$http) {
        if (c$http$method == "NOTIFY") {
            if (c$id$resp_h !in Site::private_address_space && c$id$resp_h !in Site::local_nets && c$id$resp_h !in ignore_subnets) {
                NOTICE([$conn=c, $note=CallStranger_UPnP_To_External_Host, $msg="Potential CVE-2020-12695 (CallStranger) exploitation success (UPnP NOTIFY to a non-RFC1918 or Local Address)"]);
                if (c$http?$uri && |c$http$uri| > exfiltration_threshold) {
                    NOTICE([$conn=c, $note=CallStranger_Data_Exfiltration_Success, $msg="Potential CVE-2020-12695 (CallStranger) data exfiltration success (large amount of data in UPnP NOTIFY URI)"]);
                }
            }

I was hoping you could tell me if this is expected (maybe this is thrown when no UPNP traffic is seen?) or if this is something broken in my implementation and how I can fix this?

[rvictory]

That is definitely a bug, caused by not checking if c$http$method is actually set (it's an optional field). I'll put in a fix momentarily. Thanks for bringing this up!

[rvictory]

This has since been resolved in master (commit 381851e9d100406b8a5aec07884bf55feb1017b4)

Thanks, and please let me know if you run into any other issues!

[Cyb3r4rch3r]

Awesome, thanks!