[Bro] When...timeout statement not executing
Alex Hope
alex.hope at shopify.com
Mon Oct 17 11:58:16 PDT 2016
Prematurely sent email....
It is worth mentioning that if I use an if...else block, I do not have this
problem, but then I run into the race condition :/
On Mon, Oct 17, 2016 at 2:55 PM, Alex Hope <alex.hope at shopify.com> wrote:
> Hi Bro mailing list,
>
> I'm having an issue where the when...timeout block isn't executing. I'll
> post my code then explain the problem I'm experiencing. The relevant code
> is:
>
>
> when ( c$id$resp_h in valid_ipaddrs )
> {
> whitelist_status = "to whitelisted destination ";
> interesting = F;
> }
> timeout 3 sec
> {
> whitelist_status = "to non-whitelisted destination ";
> interesting = T;
> }
>
> Basically, I'm checking connections against a set of whitelisted IP
> addresses. The reason I'm using a when...timeout block is to avoid a race
> condition so that if a whitelisted domain shows up with an IP address not
> yet in the IP whitelist, we allow time for the new IP to be written so that
> subsequent connections to the whitelisted domain don't trigger alerts by
> attempting to look up the IP address before it has had time to be written
> to the whitelist.
>
> The problem I'm having is that sometimes neither block gets executed, so
> when I do something like
>
> NOTICE([$note = Unauthorized,
> $msg = fmt("%s %s connection %s%s: ", internal_status,
> get_port_transport_proto(c$id$orig_p), whitelist_status,
> established_status),
> $conn = c]);
>
> I'll get notices that have messages like
>
> Outgoing tcp connection established
>
> since whitelist_status won't have been set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161017/57458174/attachment.html
More information about the Bro
mailing list