[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Change x509 log - now certificates are only logged once per hour. (0d50b8b)

Siwek, Jonathan Luke jsiwek at illinois.edu
Thu Mar 13 07:38:24 PDT 2014

On Mar 13, 2014, at 2:17 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:

>    You apparently have to be very careful which EndOfFile function of
>    the file analysis framework you call... otherwhise it might try
>    to close another file id. This took me quite a while to find.

I think that should be the case for any methods of the file analysis interface that don’t use a pre-computed file id, but only if the file handles returned from the script layer “get_file_handle” function end up differing between calls to the file analysis interface.  So the question I’d try to answer would be “are the file handles returned from my get_file_handle function differing unintentionally?”

Ultimately, moving to the pre-computed file id interface like you did makes sense for this code since you know the two calls to the file analysis interface right next to each other are associated w/ the same file.

- Jon

More information about the bro-dev mailing list