[Bro] remote.bro problem?
vern at icir.org
Fri Jun 10 11:36:43 PDT 2005
> Ok, I see. The parser looks up the host name by means of
> DNS_Mgr::LookupHost() which returns a set of IP addresses (because a
> hostname can correspond to more than one name). But that doesn't
> match with record's type definition which specifies a single addr,
> not a set.
Yep, that's exactly the problem.
> I don't really see what's the right way to solve this. Anyone having
> an idea how to handle this?
Well, this has been an ongoing problem. It's tempting to just squash down
single-item lists of addresses to a single address, but that'll bomb when
one fine day the name returns two addresses.
A better solution would be for hostnames to be of type set[addr] (rather
than list[addr], which isn't helpful because "list" is strictly an internal
type - you can't get to it from the policy script level). I've entered
this into Mantis, but it's not a trivial fix.
> Actually, I don't think that giving the host name in the script
> would help. The address is looked up by the parser, so that in any
> case the connect() function sees an IP address rather than the name.
> It seems that there is some additional logic in the communication
> code required to check such certificates.
> Does anybody know if
> OpenSSL already provides something along these lines?
More information about the Bro