[Bro-Dev] Error with Multiple_Sig_Responders
Andrew Benson
abenson at gmail.com
Fri Feb 15 10:49:26 PST 2013
We noticed that one of our hosts was causing this error to be thrown
1360776820.430495 Reporter::ERROR non-optional field "ts" missing in
initialization ([note=Signatures::Multiple_Sig_Responders,
src_addr=<REDACTED>, sig_id=<REDACTED>, event_msg=<REDACTED>, host_count=5,
sub_msg=<REDACTED> has triggered signature <REDACTED> on 5 hosts])
<no location>
I looked into it, and it looks to me like Multiple_Sig_Responders is in
fact missing that field.
--- a/scripts/base/frameworks/signatures/main.bro
+++ b/scripts/base/frameworks/signatures/main.bro
@@ -270,7 +270,7 @@
orig, sig_id, hcount);
Log::write(Signatures::LOG,
- [$note=Multiple_Sig_Responders,
+ [$ts=network_time(), $note=Multiple_Sig_Responders,
$src_addr=orig, $sig_id=sig_id, $event_msg=msg,
$host_count=hcount, $sub_msg=horz_scan_msg]);
--
AndrewB
Knowing is Half the Battle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130215/8d28a63d/attachment.html
More information about the bro-dev
mailing list