[Bro] Fwd: Bug in drop.bro and patch
Jim Mellander
jmellander at lbl.gov
Tue Mar 29 13:52:58 PDT 2011
---------- Forwarded message ----------
From: Jim Mellander <jmellander at lbl.gov>
Date: Tue, Mar 29, 2011 at 1:49 PM
Subject: Bug in drop.bro and patch
To: bro-dev at bro-ids.org
Hi folks:
In drop.bro, if use_catch_release is F (indicating that you don't want
to use catch & release), bro will still attempt to unblock hosts after
a 1 day timeout by executing the clear_host function (see the
drop_info table), and if there is a restore-connectivity script in the
path, it will get executed, so you actually get a pseudo catch &
release.
The fix is to add a one liner to the clear_host function, which
returns immediately if catch & release is not enabled. See patch
below:
====================================
*** drop.bro Tue Mar 29 13:39:44 2011
--- drop.bro.new Tue Mar 29 13:37:16 2011
***************
*** 283,288 ****
--- 283,289 ----
function clear_host(t: table[addr] of drop_rec, a: addr): interval
{
+ if ( ! use_catch_release ) return 0 secs;
if ( is_dropped(a) )
# Restore address.
do_restore(a, T);
More information about the Bro
mailing list