[Bro] Bro's escaping of non-printable characters behaves unexpected
Paul Pearce
pearce at cs.berkeley.edu
Tue Feb 17 16:20:18 PST 2015
Hello everyone,
I'm encountering a problem where I am unable to reconstruct original
inputs from bro log files. This example summarizes the problem:
----
$ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }'
foo\0bar\0baz
----
This makes recovering the original input impossible, as you can't
differentiate between the escaped null and the ascii characters '\'
and '0'.
If bro was going to implicitly escape the string, I would have
expected the following output:
----
$ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }'
foo\0bar\\0baz
----
A workaround would be to output files in raw mode, however I am
encountering this problem with logs generated via the logging
framework, which supports no such option (AFAIK).
Another workaround would be to substitute '\' for '\\' in all such
outputs before handing them to the logging framework, but that
solution seems... sub par.
My read here is that bro's auto-escaping functionality should be
changed to allow reconstruction of inputs in all cases.
Thanks.
-Paul
More information about the Bro
mailing list