[Bro] remote.bro problem?

scott campbell scampbell at lbl.gov
Thu Jun 9 16:52:27 PDT 2005 

I have a question regarding the use of IP addresses vs. hostnames in the
destinations file in remote.bro.

When the configuration is set up in the form:

redef destinations += {
       ["foo"] = [$host = weed.nersc.gov, $events = /.*/, $connect=T,
$retry = 60 secs, $ssl=T]
};

bro experiences an error at startup:

> -bash-2.05b$ bin/bro -t trace remote
> Execution tracing ON.
> 1118358881.581429 ./policy/remote.bro, line 56 ({128.55.14.206}): bad tag in Val::AsAddr

where the execution tracing at the point in question shows:

> 1118358881.581429 ./policy/remote.bro:80                Builtin Function called: set_buf(f = '<no value description>', buffered = 'F')
> 1118358881.581429 ./policy/remote.bro:80                Function return: <void value description>
> 1118358881.581429 ./policy/remote.bro:93                Builtin Function called: connect(ip = '{
>         128.55.14.206
> }', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

  From the trace file, it seems that the name has been successfully
converted, but has additional spaces and returns.

When remote.bro is configured to use the IP address of the remote host,
startup is *normal* and the trace file looks like:

> 1118358999.795913 ./policy/remote.bro:80                Builtin Function called: set_buf(f = '<no value description>', buffered = 'F')
> 1118358999.795913 ./policy/remote.bro:80                Function return: <void value description>
> 1118358999.795913 ./policy/remote.bro:93                Builtin Function called: connect(ip = '128.55.14.206', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

note the lack of spaces and returns.

Since the client cert is associated to the host name rather than the IP
address, I am getting authentication failures for ssl.

Any thoughts on how to fix this (besides getting a cert assigned to an IP)?

scott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050609/d41d071e/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050609/d41d071e/attachment-0001.bin

More information about the Bro mailing list