[Bro] string to address issue w/ is_v6_addr

Mike Dopheide dopheide at gmail.com
Wed Apr 1 10:03:03 PDT 2015

This confused me for quite some time this morning so I thought I'd share.
The script should make it clear, but when attempting to take a url string
and test to see if it's a valid address, the output from to_addr creates a
'valid' ipv6 address.

Is that a requirement for some reason internally?



event bro_init() {

    # is_v6_addr isn't giving the correct result because is_addr returns ::

    # assume url extracted from http:// or ftp:// string via regex:
    local url: string = "www.es.net";

        print fmt("hostname is v4 addr");
        print fmt("hostname is not v4 addr");

        print fmt("hostname is v6 addr");
        print fmt("hostname is not v6 addr");

    print fmt("Why? %s",to_addr(url));

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150401/77d7f69b/attachment-0001.html 

More information about the Bro mailing list