[Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event

Paul Pearce (JIRA) jira at bro-tracker.atlassian.net
Wed Mar 11 19:57:00 PDT 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19929#comment-19929 ] 

Paul Pearce commented on BIT-1338:
----------------------------------

Interesting.

I can extract the information I need during the file_mime_type event but I can't store it where needed (directly). Based mime-types I perform specific analysis and then annotation connections for use in later events. The connection object is not available directly from fa_file.

A workaround for this behavior is to add a connection field to the fa_file record, set the connection inside the file_over_new_connection event, then decorate the connection in the file_mime_type event. This works (tested) but seems oddly complex.

{code:none}

redef record fa_file += {
     conn: connection &optional;
};

event file_over_new_connection(f: fa_file, c:connection, is_orig:bool) {
    if(c?$http && !is_orig){
        f$conn = c;
    }
}

event file_mime_type(f: fa_file, mime_type: string) {
    if (f?$conn){
        # Do work
    }
}
{code} 

I'll leave it you folks to decide if that is a desired behavioral change. One suggestion I'd make is 2.4 release notes do not adequately convey this event change (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality), at least to me. A note about changes in when information is available in event progression would have helped me.

Thanks.

> http response mime types uninitialized in file_over_new_connection event
> ------------------------------------------------------------------------
>
>                 Key: BIT-1338
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1338
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Paul Pearce
>              Labels: mime
>
> http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master.
> The following snippet shows the new behavior on one of the included bro test traces.
> {code:bash}
> $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace 
> F
> {code}
> It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events.
> {code:bash}
> $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool,  stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event http_message_done (c: connection, is_orig: bool,  stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace 
> T
> {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)


More information about the bro-dev mailing list