[
https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21204#comment-21204
]
Seth Hall commented on BIT-1431:
--------------------------------
Seems reasonable. Let's do that.
> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>
> Key: BIT-1431
> URL: https://bro-tracker.atlassian.net/browse/BIT-1431
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.5
> Reporter: Seth Hall
>
> Currently some of Bro's analyzers are changing the case of data before
> passing it along to events which is fairly dramatic loss of information in
> some cases.
> The two known examples right now are the query in DNS (lowercased) and the
> header field name in HTTP (uppercased). The question is if we should brute
> force change these to stop modifying the original values and have people fix
> any scripts that it breaks (watching for header value names is the biggie
> here) or if we should use some alternate mechanism to allow the existing
> behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the
> world is still fairly small and the number of scripts that it affects is even
> less (many scripts won't be affected at all).
--
This message was sent by Atlassian JIRA
(v6.5-OD-08-001#65007)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
