[Bro-Dev] Bug in drop.bro and patch

Jim Mellander jmellander at lbl.gov
Tue Mar 29 13:49:48 PDT 2011

Hi folks:

In drop.bro, if use_catch_release is F (indicating that you don't want
to use catch & release), bro will still attempt to unblock hosts after
a 1 day timeout by executing the clear_host function (see the
drop_info table), and if there is a restore-connectivity script in the
path, it will get executed, so you actually get a pseudo catch &

The fix is to add a one liner to the clear_host function, which
returns immediately if catch & release is not enabled.  See patch


*** drop.bro	Tue Mar 29 13:39:44 2011
--- drop.bro.new	Tue Mar 29 13:37:16 2011
*** 283,288 ****
--- 283,289 ----

  function clear_host(t: table[addr] of drop_rec, a: addr): interval
+ 	if ( ! use_catch_release )	return 0 secs;
  	if ( is_dropped(a) )
  		# Restore address.
  		do_restore(a, T);

More information about the bro-dev mailing list