[Bro-Dev] [JIRA] (BIT-1045) Review usage of InternalError when parsing network traffic

Robin Sommer robin at icir.org
Mon Jul 29 09:56:28 PDT 2013



On Sun, Jul 28, 2013 at 09:11 -0500, you wrote:

> Reporter->InternalError denotes a fatal error, and will cause Bro to
> stop. Calling this function when parsing network traffic creates the
> possibility for an attacker using a "packet of death," which could
> stop Bro.

Ack, InternalError() is not something that external input should be
able to trigger. I already removed a number of these over time, but
never looked systematically for them.

> I suspect that in most cases, a weird should be generated instead, and
> Bro should just move on to the next packet.

Agreed, though sometimes they aren't about the traffic but about a
logic error in decoding it; it would be good to still differentiate
those cases from a broken packet, however indeed without aborting.



More information about the bro-dev mailing list