[Bro] When...timeout statement not executing

Alex Hope alex.hope at shopify.com
Mon Oct 17 11:58:16 PDT 2016


Prematurely sent email....

It is worth mentioning that if I use an if...else block, I do not have this
problem, but then I run into the race condition :/



On Mon, Oct 17, 2016 at 2:55 PM, Alex Hope <alex.hope at shopify.com> wrote:

> Hi Bro mailing list,
>
> I'm having an issue where the when...timeout block isn't executing. I'll
> post my code then explain the problem I'm experiencing. The relevant code
> is:
>
>
> when ( c$id$resp_h in valid_ipaddrs )
>       {
>       whitelist_status = "to whitelisted destination ";
>       interesting = F;
>       }
>    timeout 3 sec
>       {
>       whitelist_status = "to non-whitelisted destination ";
>       interesting = T;
>       }
>
> Basically, I'm checking connections against a set of whitelisted IP
> addresses. The reason I'm using a when...timeout block is to avoid a race
> condition so that if a whitelisted domain shows up with an IP address not
> yet in the IP whitelist, we allow time for the new IP to be written so that
> subsequent connections to the whitelisted domain don't trigger alerts by
> attempting to look up the IP address before it has had time to be written
> to the whitelist.
>
> The problem I'm having is that sometimes neither block gets executed, so
> when I do something like
>
>     NOTICE([$note = Unauthorized,
>             $msg = fmt("%s %s connection %s%s: ", internal_status,
> get_port_transport_proto(c$id$orig_p), whitelist_status,
> established_status),
>             $conn = c]);
>
> I'll get notices that have messages like
>
>    Outgoing tcp connection established
>
> since whitelist_status won't have been set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161017/57458174/attachment.html 


More information about the Bro mailing list