[Bro-Dev] question & meta-question regarding "path" field in smtp.log

Vern Paxson vern at icir.org
Sun Dec 18 23:39:49 PST 2011

[catching up]

> Hah, you're finding all of the places that I debated with myself for a
> long time.  I ended up adding the orig_h and resp_h for the current
> connection to the path field because I wanted an easy way to reliably
> find the address that originally sent the message.  If you are watching
> the actual message being sent from the MUA then it obviously won't have
> any received headers yet but it was handy to have the orig_h for the
> connection there anyway.
> Do you think we should cut those out?  It certainly made log processing
> easier when I added it.

Hmmm, I'm somewhat torn.  I'm not a big fan of synthesizing information
that looks just like information directly extracted from the application
dialog, but I appreciate your finding that doing so made the log processing
easier.  I guess as long as "path" is carefully defined to not suggest
it's simply the overt application dialog, then leaving this as it is seems
okay to me.


More information about the bro-dev mailing list