[Bro-Dev] #606: broccoli and connection records
Bro Tracker
bro at tracker.bro-ids.org
Mon Oct 17 22:14:02 PDT 2011
#606: broccoli and connection records
-----------------------+-----------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone:
Component: Broccoli | Version:
Resolution: | Keywords:
-----------------------+-----------------
Comment (by kreibich):
I've looked at this for a while now. Unfortunately I don't yet have a
solution, but I have a suspicion as to what's going on. Both you and
Matthias (in his email from Sep 26) mentioned c$conn. This confused me at
first because I didn't see it in the connection record definition, and I
haven't used this stuff in a while. I then saw that
base/protocols/conn/main.bro [*] redefs the connection record to include
conn, which is, uhm, a big record. In particular, it looks like it
includes fields of types Broccoli does not yet support. This line in the
output is probably key:
{{{
59970 1315678636.044779 /tmp/tmp/bro/aux/broccoli/src/bro_sobject.c/109
Creation of object type 0x8a0a failed.
}}}
0x8a0a = 0x8000 | 0x0a00 | 0x000a = a serialized object | that is a type |
that is an '''enum'''.
After that it all goes down the tubes. I'm not sure why things aren't
recovering better, but the problem very likely isn't that Broccoli cannot
handle an optional, still-null '''value''' that Bro sends, it's that
Broccoli needs to understand the corresponding '''type''', sent first, in
its entirety. I could be wrong and Bro isn't in fact sending the optional
part of the type if the corresponding value doesn't actually need that
type -- I need to dig further to figure it out. Alas, I don't think I can
get this done before tomorrow's release.
[*] OMG you killed bro.init! I am in awe!
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/606#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list