In drop.bro, if use_catch_release is F (indicating that you don't want
to use catch & release), bro will still attempt to unblock hosts after
a 1 day timeout by executing the clear_host function (see the
drop_info table), and if there is a restore-connectivity script in the
path, it will get executed, so you actually get a pseudo catch &
release.
The fix is to add a one liner to the clear_host function, which
returns immediately if catch & release is not enabled. See patch
below:
In drop.bro, if use_catch_release is F (indicating that you don't want
to use catch & release), bro will still attempt to unblock hosts after
a 1 day timeout by executing the clear_host function (see the
drop_info table), and if there is a restore-connectivity script in the
path, it will get executed, so you actually get a pseudo catch &
release.
The fix is to add a one liner to the clear_host function, which
returns immediately if catch & release is not enabled. See patch
below: