[Bro] Fwd: Bug in drop.bro and patch

[Jim Mellander]

---------- Forwarded message ----------
From: Jim Mellander <jmellander at lbl.gov>
Date: Tue, Mar 29, 2011 at 1:49 PM
Subject: Bug in drop.bro and patch
To: bro-dev at bro-ids.org


Hi folks:

In drop.bro, if use_catch_release is F (indicating that you don't want
to use catch & release), bro will still attempt to unblock hosts after
a 1 day timeout by executing the clear_host function (see the
drop_info table), and if there is a restore-connectivity script in the
path, it will get executed, so you actually get a pseudo catch &
release.

The fix is to add a one liner to the clear_host function, which
returns immediately if catch & release is not enabled.  See patch
below:

====================================

*** drop.bro    Tue Mar 29 13:39:44 2011
--- drop.bro.new        Tue Mar 29 13:37:16 2011
***************
*** 283,288 ****
--- 283,289 ----

 function clear_host(t: table[addr] of drop_rec, a: addr): interval
       {
+       if ( ! use_catch_release )      return 0 secs;
       if ( is_dropped(a) )
               # Restore address.
               do_restore(a, T);