[Bro-Dev] BiF parsing index types
Jim Mellander
jmellander at lbl.gov
Tue May 24 12:11:32 PDT 2011
On Tue, May 24, 2011 at 9:00 AM, Seth Hall <seth at icir.org> wrote:
>
> On May 24, 2011, at 12:33 PM, Vern Paxson wrote:
>
>> IIRC, it's used by Bro at startup to resolve hostnames in the policy
>> scripts. If those fail to resolve due to a serious problem (rather than
>> just the name not existing), then arguably Bro is about to run with
>> fundamentally incorrect/missing information, which is not very safe.
>
> Agreed, but I would consider it a fairly minimal risk due to such extremely limited use of that feature anyway. In the scripts I've been working on, I haven't even used it at all so the risk is even lower.
How about triggering an event on such failure conditions (perhaps
sending the hostname)? - each site could then determine globally or by
hostname how to deal with this situation
>
>> That said, whether it should bomb out under such circumstances is
>> still debatable.
>
>
> I agree. If I get a chance soon I'll commit a change to fastpath changing those to runtime warnings instead of internal errors. Unless... Jon, would you like to do it?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
More information about the bro-dev
mailing list