[Bro-Dev] BiF parsing index types
Will
baxterw3232 at gmail.com
Tue May 17 08:16:43 PDT 2011
Thanks for the quick reply and sorry for the delayed response. I have
been trying to troubleshoot a few other issues.
On Fri, May 13, 2011 at 8:51 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Fri, May 13, 2011 at 11:01 -0400, you wrote:
>
>> It doesn't appear to be working properly.
>
> Normally you'd write:
>
> const okay_to_lookup_sensitive_hosts: set[addr] = {
> 172.0.0.1,
> 172.0.0.2,
> } &redef;
>
> But your version seems to work as well. With both versions, I get:
>
> # bro -e "print okay_to_lookup_sensitive_hosts" foo.bro
> {
> 172.0.0.1,
> 172.0.0.2
> }
>
> What's not working?
>
So, this variable defines hosts in dns.bro that we intend to ignore
sensitive DNS queries from (recursive DNS servers). A couple of weeks
ago I installed and started using broctl on this box and with a few
minor changes everything continued working fine except we are now
getting alerts from the two hosts defined here.
I wasn't aware of being able to specify and print a single variable
from bro, as you did above, but ecstatic about how much easier that
will make things when troubleshooting.
On my first attempt, I think I broke something else. I actually have
scan.bro commented out, so I'm assuming I this indicates a bigger
issue?
/usr/local/bro/share/bro/site]# bro -e "print
okay_to_lookup_sensitive_hosts" local.bro
/usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
Abort trap: 6 (core dumped)
After rebuilding bro and broctl, I created a skeleton script that just
had the statements above and it worked just as you showed.
Unfortunately, we are still getting notices from the hosts defined in
that variable.
Like I said, the only change (that I am aware I made) is upgrading bro
from 1.5.1 to 1.5.3 and installing broctl.
This may be something that should be on the user list than dev?
Thanks again!
Will
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
More information about the bro-dev
mailing list