[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Change x509 log - now certificates are only logged once per hour. (0d50b8b)

Siwek, Jonathan Luke jsiwek at illinois.edu
Thu Mar 13 08:50:26 PDT 2014

On Mar 13, 2014, at 9:45 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:

> What I did was to call…
> file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(),
>    bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), ${rec.is_orig});
> file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), ${rec.is_orig});
> in exactly this order (so - directly following each other). Which does not work.

It think it should work provided that matching file handles are generated at the script-layer for this type of file.  (not sure whether they are in this case, didn’t check)

> I also do not really think this is sufficiently documented in the comments of
> Manager.h. This basically is not mentioned at all there…

Yeah, it should probably at least link to [1] at least once.  Do you think it would help to link to that in each method where it matters?

[1] http://www.bro.org/development/howtos/file-analysis-file-id.html

- Jon

More information about the bro-dev mailing list