[Bro] string to address issue w/ is_v6_addr

Mike Dopheide dopheide at gmail.com
Wed Apr 1 11:17:15 PDT 2015

Thanks for the background!   Looks like what I need is is_valid_ip() from

Problem was I was starting with a string that could be an IP or could be a


On Wed, Apr 1, 2015 at 1:08 PM, Siwek, Jon <jsiwek at illinois.edu> wrote:

> > On Apr 1, 2015, at 12:03 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> >
> > This confused me for quite some time this morning so I thought I'd
> share.  The script should make it clear, but when attempting to take a url
> string and test to see if it's a valid address, the output from to_addr
> creates a 'valid' ipv6 address.
> >
> > Is that a requirement for some reason internally?
> to_addr() returning the unspecified IPv6 address on failure to convert an
> IP string to Bro’s address type is just an arbitrary choice.
> Alternatively, it could return the unspecified IPv4 address,, but
> that doesn’t really save anything — internally Bro’s address values all use
> a full 128 bits (IPv4 uses the "IPv4-mapped IPv6” representation).  It
> could also return a record type:
>         type opt_addr: record { a: addr &optional; };
> or
>         type opt_addr: record { a: addr; success: bool; };
> Where in the first, it only sets the field if the conversion succeeded,
> but failure to check for that fields existence before accessing is
> potentially more problematic than failure to check for [::].   In either,
> it’s adding another data type the user has to remember or lookup how to use.
> So that’s the backstory of why [::] is the failure indicator.  One could
> also argue that using the unspecified IPv6 address (or IPv4) as a return
> value makes it ambiguous to try to parse “::” (or “”) as the input
> string and I’d be on board w/ that and vote to switch to one of the
> return-a-record styles.
> Anyway, from the example you gave, did you just mean to use
> “lookup_hostname” instead of “to_addr” ?
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150401/85683cb0/attachment.html 

More information about the Bro mailing list