[Bro-Dev] question & meta-question regarding "path" field in smtp.log

Seth Hall seth at icir.org
Fri Dec 2 20:32:36 PST 2011


On Dec 1, 2011, at 5:37 AM, Vern Paxson wrote:

>> Yes, it's the path derived from the received headers and it's in reverse
>> order where the actual message originator would be found at the right side
>> and the receiver would be at the left.
> 
> But what about adding the client & server?  Are those added separately?
> It would appear so, though I'm not sure that's the right thing to do.
> It muddles the semantics somewhat, and also isn't necessary as the
> client & server info are available from other fields.


Hah, you're finding all of the places that I debated with myself for a long time.  I ended up adding the orig_h and resp_h for the current connection to the path field because I wanted an easy way to reliably find the address that originally sent the message.  If you are watching the actual message being sent from the MUA then it obviously won't have any received headers yet but it was handy to have the orig_h for the connection there anyway.  

Do you think we should cut those out?  It certainly made log processing easier when I added it.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111202/2838eba2/attachment-0001.bin 


More information about the bro-dev mailing list