[Bro-Dev] [JIRA] (BIT-849) SMTP analyzer and reporter warnings

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 17 07:56:00 PDT 2015


     [ https://bro-tracker.atlassian.net/browse/BIT-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek reassigned BIT-849:
-----------------------------

    Assignee: Jon Siwek

> SMTP analyzer and reporter warnings
> -----------------------------------
>
>                 Key: BIT-849
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-849
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Seth Hall
>            Assignee: Jon Siwek
>              Labels: analyzer
>             Fix For: 2.4
>
>
> There are some warnings in the SMTP analyzer (ultimately from using the MIME analyzer) that go to reporter but they are wildly unhelpful in reporter.log.  Here's an example line from reporter.log:
> {noformat}
> 1342043855.564338	Reporter::WARNING	nested mail transaction	(empty)	-
> {noformat}
> Doing protocol violations on the smtp analyzer wouldn't quite be the right thing either because the dpd framework might remove the smtp analyzer from the connection.  Part of the problem may stem from the fact that MIME analyzer isn't a true analyzer (doesn't descend from Analyzer).  There is some obvious analyzer restructuring that needs to happen here but that can wait for the larger analyzer work that is coming up.
> Does anyone have thoughts about what we could do with this message now to make it more useful?



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)


More information about the bro-dev mailing list