[Bro-Dev] #606: broccoli and connection records

Bro Tracker bro at tracker.bro-ids.org
Mon Oct 17 22:14:02 PDT 2011


#606: broccoli and connection records
-----------------------+-----------------
  Reporter:  seth      |      Owner:
      Type:  Problem   |     Status:  new
  Priority:  Normal    |  Milestone:
 Component:  Broccoli  |    Version:
Resolution:            |   Keywords:
-----------------------+-----------------

Comment (by kreibich):

 I've looked at this for a while now. Unfortunately I don't yet have a
 solution, but I have a suspicion as to what's going on. Both you and
 Matthias (in his email from Sep 26) mentioned c$conn. This confused me at
 first because I didn't see it in the connection record definition, and I
 haven't used this stuff in a while. I then saw that
 base/protocols/conn/main.bro [*] redefs the connection record to include
 conn, which is, uhm, a big record. In particular, it looks like it
 includes fields of types Broccoli does not yet support. This line in the
 output is probably key:

 {{{
   59970 1315678636.044779 /tmp/tmp/bro/aux/broccoli/src/bro_sobject.c/109
 Creation of object type 0x8a0a failed.
 }}}

 0x8a0a = 0x8000 | 0x0a00 | 0x000a = a serialized object | that is a type |
 that is an '''enum'''.

 After that it all goes down the tubes. I'm not sure why things aren't
 recovering better, but the problem very likely isn't that Broccoli cannot
 handle an optional, still-null '''value''' that Bro sends, it's that
 Broccoli needs to understand the corresponding '''type''', sent first, in
 its entirety. I could be wrong and Bro isn't in fact sending the optional
 part of the type if the corresponding value doesn't actually need that
 type -- I need to dig further to figure it out. Alas, I don't think I can
 get this done before tomorrow's release.

 [*] OMG you killed bro.init! I am in awe!

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/606#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list