[Bro-Dev] mask_addr?
Vern Paxson
vern at icir.org
Fri Jul 22 20:23:04 PDT 2011
> I want it to do this (and I think it makes more sense based on the name):
> function mask_addr(a: addr, top_bits_to_keep: count): subnet
Yeah, it predates the introduction of subnets into Bro.
> I'm not sure how the existing function was ever used
It was things like:
if ( mask_addr(c$id$orig_h, 24) == 1.2.3.0 )
# Whoops, it's coming from 1.2.3/24 ...
See {backdoor,ftp,scan}.bro (at least, the 1.5 versions :-) for such uses.
> but it seems like it must have been a fairly limited use case. Does
> that seem reasonable to change what that function does and steal the name?
Yes.
Vern
More information about the bro-dev
mailing list