[
https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1431:
-------------------------------
Affects Version/s: (was: 2.5)
2.4
> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>
> Key: BIT-1431
> URL: https://bro-tracker.atlassian.net/browse/BIT-1431
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Reporter: Seth Hall
> Fix For: 2.5
>
>
> Currently some of Bro's analyzers are changing the case of data before
> passing it along to events which is fairly dramatic loss of information in
> some cases.
> The two known examples right now are the query in DNS (lowercased) and the
> header field name in HTTP (uppercased). The question is if we should brute
> force change these to stop modifying the original values and have people fix
> any scripts that it breaks (watching for header value names is the biggie
> here) or if we should use some alternate mechanism to allow the existing
> behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the
> world is still fairly small and the number of scripts that it affects is even
> less (many scripts won't be affected at all).
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
