[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Paul Pearce (JIRA)]

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20301#comment-20301
 ] 

Paul Pearce commented on BIT-1333:
----------------------------------

Robin,

Thanks for looking at this.

Robin, that behavior seems desirable to me as it provides for a completely 
reversible process. Can you elaborate a bit?

The issues I'm encountering has to do with these characters being outputted via 
the logging framework. My understanding of the framework is such that your 
solution (special function) would mean that you could never get the recoverable 
representation via logging. Is that correct? If so, that seems problematic 
given that many programs consume these logs.

Perhaps a middle ground solution would be a bro configuration operation that 
controls this behavior globally?

> Bro's ASCII logging facilities do not escape escape characters
> --------------------------------------------------------------
>
>                 Key: BIT-1333
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Paul Pearce
>            Assignee: Robin Sommer
>             Fix For: 2.4
>
>
> * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
> on the character 
> (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
> * Bro does not however escape \ or ^. 
> * This behavior makes recovering the original string impossible as you can 
> not differentiate between an escaped sequence and a string containing those 
> characters. 
> Examples: 
> $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }'
>  foo \xc2\xae bar \xc2\xae baz
> $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }'
>  foo\0bar\0baz
> $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }'
>  foo ^N bar ^N baz
> Additionally, it would be ideal if there was a way to standardize escaping to 
> a single syntax (\x?? for all, for example). This would allow post-processing 
> of the bro logs in languages like Python or Ruby trivially using existing 
> decode/encode functionality. I'm happy to file a separate feature request for 
> this behavior, if that is preferred.
> I brought this up on the mailing list 
> (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
> It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev