[Bro] remote.bro problem?

Vern Paxson vern at icir.org
Fri Jun 10 11:36:43 PDT 2005

> Ok, I see. The parser looks up the host name by means of
> DNS_Mgr::LookupHost() which returns a set of IP addresses (because a
> hostname can correspond to more than one name). But that doesn't
> match with record's type definition which specifies a single addr,
> not a set.

Yep, that's exactly the problem.

> I don't really see what's the right way to solve this. Anyone having
> an idea how to handle this?

Well, this has been an ongoing problem.  It's tempting to just squash down
single-item lists of addresses to a single address, but that'll bomb when
one fine day the name returns two addresses.

A better solution would be for hostnames to be of type set[addr] (rather
than list[addr], which isn't helpful because "list" is strictly an internal
type - you can't get to it from the policy script level).  I've entered
this into Mantis, but it's not a trivial fix.

> Actually, I don't think that giving the host name in the script
> would help. The address is looked up by the parser, so that in any
> case the connect() function sees an IP address rather than the name.


> It seems that there is some additional logic in the communication
> code required to check such certificates.

I agree.

> Does anybody know if
> OpenSSL already provides something along these lines?



More information about the Bro mailing list