Hi Bro mailing list,
I’m having an issue where the when…timeout block isn’t executing. I’ll post my code then explain the problem I’m experiencing. The relevant code is:
when ( c$id$resp_h in valid_ipaddrs )
{
whitelist_status = "to whitelisted destination ";
interesting = F;
}
timeout 3 sec
{
whitelist_status = "to non-whitelisted destination ";
interesting = T;
}
Basically, I’m checking connections against a set of whitelisted IP addresses. The reason I’m using a when…timeout block is to avoid a race condition so that if a whitelisted domain shows up with an IP address not yet in the IP whitelist, we allow time for the new IP to be written so that subsequent connections to the whitelisted domain don’t trigger alerts by attempting to look up the IP address before it has had time to be written to the whitelist.
The problem I’m having is that sometimes neither block gets executed, so when I do something like
NOTICE([$note = Unauthorized,
$msg = fmt("%s %s connection %s%s: ", internal_status, get_port_transport_proto(c$id$orig_p), whitelist_status, established_status),
$conn = c]);
I’ll get notices that have messages like
Outgoing tcp connection established
since whitelist_status won’t have been set
