[Bro-Dev] #849: SMTP analyzer and reporter warnings
Bro Tracker
bro at tracker.bro-ids.org
Thu Jul 12 08:53:13 PDT 2012
#849: SMTP analyzer and reporter warnings
----------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: analyzer |
----------------------+------------------------
There are some warnings in the SMTP analyzer (ultimately from using the
MIME analyzer) that go to reporter but they are wildly unhelpful in
reporter.log. Here's an example line from reporter.log:
{{{
1342043855.564338 Reporter::WARNING nested mail transaction
(empty) -
}}}
Doing protocol violations on the smtp analyzer wouldn't quite be the right
thing either because the dpd framework might remove the smtp analyzer from
the connection. Part of the problem may stem from the fact that MIME
analyzer isn't a true analyzer (doesn't descend from Analyzer). There is
some obvious analyzer restructuring that needs to happen here but that can
wait for the larger analyzer work that is coming up.
Does anyone have thoughts about what we could do with this message now to
make it more useful?
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/849>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list