[Bro-Dev] BiF parsing index types

Will baxterw3232 at gmail.com
Tue May 17 08:16:43 PDT 2011 

Thanks for the quick reply and sorry for the delayed response. I have
been trying to troubleshoot a few other issues.

On Fri, May 13, 2011 at 8:51 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Fri, May 13, 2011 at 11:01 -0400, you wrote:
>
>> It doesn't appear to be working properly.
>
> Normally you'd write:
>
>    const okay_to_lookup_sensitive_hosts: set[addr] = {
>                172.0.0.1,
>                172.0.0.2,
>    } &redef;
>
> But your version seems to work as well. With both versions, I get:
>
>    # bro -e "print okay_to_lookup_sensitive_hosts" foo.bro
>    {
>    172.0.0.1,
>    172.0.0.2
>    }
>
> What's not working?
>
So, this variable defines hosts in dns.bro that we intend to ignore
sensitive DNS queries from (recursive DNS servers). A couple of weeks
ago I installed and started using broctl on this box and with a few
minor changes everything continued working fine except we are now
getting alerts from the two hosts defined here.

I wasn't aware of being able to specify and print a single variable
from bro, as you did above, but ecstatic about how much easier that
will make things when troubleshooting.

On my first attempt, I think I broke something else. I actually have
scan.bro commented out, so I'm assuming I this indicates a bigger
issue?
/usr/local/bro/share/bro/site]# bro -e "print
okay_to_lookup_sensitive_hosts" local.bro
/usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
Abort trap: 6 (core dumped)

After rebuilding bro and broctl, I created a skeleton script that just
had the statements above and it worked just as you showed.
Unfortunately, we are still getting notices from the hosts defined in
that variable.

Like I said, the only change (that I am aware I made) is upgrading bro
from 1.5.1 to 1.5.3 and installing broctl.

This may be something that should be on the user list than dev?

Thanks again!

Will

> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>

More information about the bro-dev mailing list