remote.bro problem?

Zeek
1

I have a question regarding the use of IP addresses vs. hostnames in the
destinations file in remote.bro.

When the configuration is set up in the form:

redef destinations += {
       ["foo"] = [$host = weed.nersc.gov, $events = /.*/, $connect=T,
$retry = 60 secs, $ssl=T]
};

bro experiences an error at startup:

-bash-2.05b$ bin/bro -t trace remote
Execution tracing ON.
1118358881.581429 ./policy/remote.bro, line 56 ({128.55.14.206}): bad tag in Val::AsAddr

where the execution tracing at the point in question shows:

1118358881.581429 ./policy/remote.bro:80 Builtin Function called: set_buf(f = '<no value description>', buffered = 'F')
1118358881.581429 ./policy/remote.bro:80 Function return: <void value description>
1118358881.581429 ./policy/remote.bro:93 Builtin Function called: connect(ip = '{
        128.55.14.206
}', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

  From the trace file, it seems that the name has been successfully
converted, but has additional spaces and returns.

When remote.bro is configured to use the IP address of the remote host,
startup is *normal* and the trace file looks like:

1118358999.795913 ./policy/remote.bro:80 Builtin Function called: set_buf(f = '<no value description>', buffered = 'F')
1118358999.795913 ./policy/remote.bro:80 Function return: <void value description>
1118358999.795913 ./policy/remote.bro:93 Builtin Function called: connect(ip = '128.55.14.206', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

note the lack of spaces and returns.

Since the client cert is associated to the host name rather than the IP
address, I am getting authentication failures for ssl.

Any thoughts on how to fix this (besides getting a cert assigned to an IP)?

scott

2

      ["foo"] = [$host = weed.nersc.gov, $events = /.*/, $connect=T,

>called: connect(ip = '{
> 128.55.14.206
>}', p = '47756/tcp', retry = '1.0 min', ssl = 'T')

converted, but has additional spaces and returns.

Even more: it's surrounded by "{...}" which indicates that actually
there is table passed to connect().

[...reading source code...]

Ok, I see. The parser looks up the host name by means of
DNS_Mgr::LookupHost() which returns a set of IP addresses (because a
hostname can correspond to more than one name). But that doesn't
match with record's type definition which specifies a single addr,
not a set.

I don't really see what's the right way to solve this. Anyone having
an idea how to handle this?

Since the client cert is associated to the host name rather than the IP
address, I am getting authentication failures for ssl.

Actually, I don't think that giving the host name in the script
would help. The address is looked up by the parser, so that in any
case the connect() function sees an IP address rather than the name.

It seems that there is some additional logic in the communication
code required to check such certificates. Does anybody know if
OpenSSL already provides something along these lines?

Robin