mask_addr?

Development
1

I think the existing mask_addr function may be named wrong. Here's the current prototype:
  function mask_addr(a: addr, top_bits_to_keep: count): addr

I want it to do this (and I think it makes more sense based on the name):
  function mask_addr(a: addr, top_bits_to_keep: count): subnet

I'm not sure how the existing function was ever used, but it seems like it must have been a fairly limited use case. Does that seem reasonable to change what that function does and steal the name? I suppose the existing function could be renamed to something else if someone still knows of a use for it.

In case it's not obvious from the prototypes above, what I'm aiming to do is take addresses and mask them off to subnets (I need it for aggregation with the metrics framework).
For example...
print mask_addr(1.2.3.4, 24)
  => 1.2.3.0/24

  .Seth

2

I want it to do this (and I think it makes more sense based on the name):
  function mask_addr(a: addr, top_bits_to_keep: count): subnet

Yeah, it predates the introduction of subnets into Bro.

I'm not sure how the existing function was ever used

It was things like:

  if ( mask_addr(c$id$orig_h, 24) == 1.2.3.0 )
    # Whoops, it's coming from 1.2.3/24 ...

See {backdoor,ftp,scan}.bro (at least, the 1.5 versions :slight_smile: for such uses.

but it seems like it must have been a fairly limited use case. Does
that seem reasonable to change what that function does and steal the name?

Yes.

    Vern

3

Ah, that would be why I couldn't find anything about it in the CHANGES file. :slight_smile:

I'll file a ticket. Thanks.

  .Seth