[Bro-Dev] script loading implementation

Jonathan Siwek jsiwek at ncsa.illinois.edu
Thu Jun 16 11:03:52 PDT 2011

With the way the new policy scripts use (abuse?) loading scripts from subdirectories of BROPATH, it seems easier to confuse the mechanism by which the scanner knows whether a given script has already been loaded.  Consider a policy tree like:

├── A
│   └── B
│       └── script.bro
├── other scripts/directories (e.g. loader.bro)

If BROPATH contains ".:A" (the policy root plus A/), then "script.bro" could potentially be loaded twice (thus causing errors) when both the "A/B/script" and "B/script" input forms are @load'd either from other scripts or from user input.

The common pitfall would probably be when "loader.bro" is some script that always gets loaded by default and itself does a "@load B/script".  A user attempting to run bro will see errors when they try `bro A/B/script` (or even `bro B/script.bro`), but `bro B/script` will work.

I want to change it so that:

1) all paths branching off BROPATH that lead to the script-being-loaded should be considered as loaded

2) inputs to @loads (and user arguments) without a .bro extension should also consider the .bro input form as loaded (currently it only does the reverse)

Does this sound good, or were there any other ideas to simplify the script loading process (the current scan.l already seems to be somewhat complicated in the way this happens) ?

- Jon

More information about the bro-dev mailing list