[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Change x509 log - now certificates are only logged once per hour. (0d50b8b)
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Mar 13 07:38:24 PDT 2014
On Mar 13, 2014, at 2:17 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
> You apparently have to be very careful which EndOfFile function of
> the file analysis framework you call... otherwhise it might try
> to close another file id. This took me quite a while to find.
I think that should be the case for any methods of the file analysis interface that don’t use a pre-computed file id, but only if the file handles returned from the script layer “get_file_handle” function end up differing between calls to the file analysis interface. So the question I’d try to answer would be “are the file handles returned from my get_file_handle function differing unintentionally?”
Ultimately, moving to the pre-computed file id interface like you did makes sense for this code since you know the two calls to the file analysis interface right next to each other are associated w/ the same file.
More information about the bro-dev