[Bro] remote.bro problem?

Robin Sommer sommer at in.tum.de
Fri Jun 10 00:19:45 PDT 2005

On Thu, Jun 09, 2005 at 16:52 -0700, you wrote:

>       ["foo"] = [$host = weed.nersc.gov, $events = /.*/, $connect=T,

> >called: connect(ip = '{
> >
> >}', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

> converted, but has additional spaces and returns.

Even more: it's surrounded by "{...}" which indicates that actually
there is table passed to connect().

[...reading source code...]

Ok, I see. The parser looks up the host name by means of
DNS_Mgr::LookupHost() which returns a set of IP addresses (because a
hostname can correspond to more than one name). But that doesn't
match with record's type definition which specifies a single addr,
not a set.

I don't really see what's the right way to solve this. Anyone having
an idea how to handle this?

> Since the client cert is associated to the host name rather than the IP
> address, I am getting authentication failures for ssl.

Actually, I don't think that giving the host name in the script
would help. The address is looked up by the parser, so that in any
case the connect() function sees an IP address rather than the name.

It seems that there is some additional logic in the communication
code required to check such certificates. Does anybody know if
OpenSSL already provides something along these lines?


Robin Sommer * Room        01.08.055 * www.net.in.tum.de
TU Muenchen  * Phone (089) 289-18006 *  sommer at in.tum.de 

More information about the Bro mailing list