string to address issue w/ is_v6_addr

This confused me for quite some time this morning so I thought I’d share. The script should make it clear, but when attempting to take a url string and test to see if it’s a valid address, the output from to_addr creates a ‘valid’ ipv6 address.

Is that a requirement for some reason internally?


event bro_init() {

is_v6_addr isn’t giving the correct result because is_addr returns ::

assume url extracted from http:// or ftp:// string via regex:

local url: string = “”;

print fmt(“hostname is v4 addr”);
print fmt(“hostname is not v4 addr”);

print fmt(“hostname is v6 addr”);
print fmt(“hostname is not v6 addr”);

print fmt(“Why? %s”,to_addr(url));


to_addr() returning the unspecified IPv6 address on failure to convert an IP string to Bro’s address type is just an arbitrary choice. Alternatively, it could return the unspecified IPv4 address,, but that doesn’t really save anything — internally Bro’s address values all use a full 128 bits (IPv4 uses the "IPv4-mapped IPv6” representation). It could also return a record type:

  type opt_addr: record { a: addr &optional; };


  type opt_addr: record { a: addr; success: bool; };

Where in the first, it only sets the field if the conversion succeeded, but failure to check for that fields existence before accessing is potentially more problematic than failure to check for [::]. In either, it’s adding another data type the user has to remember or lookup how to use.

So that’s the backstory of why [::] is the failure indicator. One could also argue that using the unspecified IPv6 address (or IPv4) as a return value makes it ambiguous to try to parse “::” (or “”) as the input string and I’d be on board w/ that and vote to switch to one of the return-a-record styles.

Anyway, from the example you gave, did you just mean to use “lookup_hostname” instead of “to_addr” ?

- Jon

Thanks for the background! Looks like what I need is is_valid_ip() from base/utils/addrs.bro.

Problem was I was starting with a string that could be an IP or could be a hostname.