[Bro-Dev] BiF parsing index types
Vern Paxson
vern at icir.org
Tue May 24 09:33:33 PDT 2011
> I suppose the more direct question is, are there any times where values returned from nb_dns_activity being less than 0 would represent a fatal error?
IIRC, it's used by Bro at startup to resolve hostnames in the policy
scripts. If those fail to resolve due to a serious problem (rather than
just the name not existing), then arguably Bro is about to run with
fundamentally incorrect/missing information, which is not very safe.
That said, whether it should bomb out under such circumstances is
still debatable.
Vern
More information about the bro-dev
mailing list