[Bro] When...timeout statement not executing

Mon Oct 17 11:55:39 PDT 2016

Hi Bro mailing list,

I'm having an issue where the when...timeout block isn't executing. I'll
post my code then explain the problem I'm experiencing. The relevant code
is:

when ( c$id$resp_h in valid_ipaddrs )
      {
      whitelist_status = "to whitelisted destination ";
      interesting = F;
      }
   timeout 3 sec
      {
      whitelist_status = "to non-whitelisted destination ";
      interesting = T;
      }

Basically, I'm checking connections against a set of whitelisted IP
addresses. The reason I'm using a when...timeout block is to avoid a race
condition so that if a whitelisted domain shows up with an IP address not
yet in the IP whitelist, we allow time for the new IP to be written so that
subsequent connections to the whitelisted domain don't trigger alerts by
attempting to look up the IP address before it has had time to be written
to the whitelist.

The problem I'm having is that sometimes neither block gets executed, so
when I do something like

    NOTICE([$note = Unauthorized,
            $msg = fmt("%s %s connection %s%s: ", internal_status,
get_port_transport_proto(c$id$orig_p), whitelist_status,
established_status),
            $conn = c]);

I'll get notices that have messages like

   Outgoing tcp connection established

since whitelist_status won't have been set
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161017/a4137234/attachment.html 