[Bro-Dev] Error with Multiple_Sig_Responders

Andrew Benson abenson at gmail.com
Fri Feb 15 10:49:26 PST 2013


We noticed that one of our hosts was causing this error to be thrown

1360776820.430495       Reporter::ERROR non-optional field "ts" missing in
initialization ([note=Signatures::Multiple_Sig_Responders,
src_addr=<REDACTED>, sig_id=<REDACTED>, event_msg=<REDACTED>, host_count=5,
sub_msg=<REDACTED> has triggered signature <REDACTED> on 5 hosts])
 <no location>

I looked into it, and it looks to me like Multiple_Sig_Responders is in
fact missing that field.

--- a/scripts/base/frameworks/signatures/main.bro
+++ b/scripts/base/frameworks/signatures/main.bro
@@ -270,7 +270,7 @@
                                orig, sig_id, hcount);

                Log::write(Signatures::LOG,
-                       [$note=Multiple_Sig_Responders,
+                       [$ts=network_time(), $note=Multiple_Sig_Responders,
                     $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
                     $host_count=hcount, $sub_msg=horz_scan_msg]);


--
AndrewB
Knowing is Half the Battle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130215/8d28a63d/attachment.html 


More information about the bro-dev mailing list