[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

Paul Pearce (JIRA) jira at bro-tracker.atlassian.net
Tue Apr 14 13:23:01 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20301#comment-20301 ] 

Paul Pearce commented on BIT-1333:


Thanks for looking at this.

Robin, that behavior seems desirable to me as it provides for a completely reversible process. Can you elaborate a bit?

The issues I'm encountering has to do with these characters being outputted via the logging framework. My understanding of the framework is such that your solution (special function) would mean that you could never get the recoverable representation via logging. Is that correct? If so, that seems problematic given that many programs consume these logs.

Perhaps a middle ground solution would be a bro configuration operation that controls this behavior globally?

> Bro's ASCII logging facilities do not escape escape characters
> --------------------------------------------------------------
>                 Key: BIT-1333
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Paul Pearce
>            Assignee: Robin Sommer
>             Fix For: 2.4
> * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
> * Bro does not however escape \ or ^. 
> * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. 
> Examples: 
> $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }'
>  foo \xc2\xae bar \xc2\xae baz
> $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }'
>  foo\0bar\0baz
> $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }'
>  foo ^N bar ^N baz
> Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred.
> I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list