[Bro-Dev] [JIRA] (BIT-1159) count/port comparisons silently fail when part of a record

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Wed Mar 19 15:12:44 PDT 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15811#comment-15811 ] 

Jon Siwek commented on BIT-1159:
--------------------------------

I'm playing around w/ enabling more consistent type checking and found something interesting:

{code}
diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro
index b383f1a..99233d3 100644
--- a/scripts/base/protocols/conn/inactivity.bro
+++ b/scripts/base/protocols/conn/inactivity.bro
@@ -8,12 +8,16 @@ export {
    ## the connection.
    const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
        # For interactive services, allow longer periods of inactivity.
-       [[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
+       [Analyzer::ANALYZER_SSH] = 1 hrs,
+       [Analyzer::ANALYZER_FTP] = 1 hrs,
    } &redef;

    ## Define inactivity timeouts based on common protocol ports.
    const port_inactivity_timeouts: table[port] of interval = {
-       [[21/tcp, 22/tcp, 23/tcp, 513/tcp]] = 1 hrs,
+       [21/tcp] = 1 hrs,
+       [22/tcp] = 1 hrs,
+       [23/tcp] = 1 hrs,
+       [513/tcp] = 1 hrs,
    } &redef;

 }
{code}

Is the original code actually supposed to work?

I kind of hope not... the container ctor/init code is complicated enough without a shorthand way of unrolling table/set elements based on a list of indices that are all supposed to yield the same value.

{{FTP::cmd_reply_code}} does something similar.  Can I assume my new type-checking code is catching incorrect initializations in these cases?

> count/port comparisons silently fail when part of a record
> ----------------------------------------------------------
>
>                 Key: BIT-1159
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1159
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.2
>            Reporter: Justin Azoff
>            Assignee: Jon Siwek
>            Priority: Low
>              Labels: language
>
> If you try to compare a count to a port directly, you get the following:
> {code}
> operands must be of the same type (1500/tcp < 2000)
> {code}
> but if you have a record, and mixup the types like so, it silently fails:
> {code}
> type PortRange: record {
>     min: port &default=1/tcp;
>     max: port &default=65535/tcp;
> };
> global pr = PortRange($min=1000,$max=2000);
> #CORRECT: global pr = PortRange($min=1000/tcp,$max=2000/tcp);
> event bro_init()
> {
>     print (pr$min <= 1500/tcp  && 1500/tcp < pr$max) ? "OK" : "NOTOK";
> }
> {code}
> {code}
> $ bro a.bro
> NOTOK
> {code}



--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)

More information about the bro-dev mailing list