Seth Hall created BIT-1431:
------------------------------
Summary: Loss of information due to analyzer capitalization changes
Key: BIT-1431
URL: https://bro-tracker.atlassian.net/browse/BIT-1431
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.5
Reporter: Seth Hall
Currently some of Bro's analyzers are changing the case of data before passing
it along to events which is fairly dramatic loss of information in some cases.
The two known examples right now are the query in DNS (lowercased) and the
header field name in HTTP (uppercased). The question is if we should brute
force change these to stop modifying the original values and have people fix
any scripts that it breaks (watching for header value names is the biggie here)
or if we should use some alternate mechanism to allow the existing behavior to
have a sundown time period.
I say we should just break it since the quantity of existing scripts in the
world is still fairly small and the number of scripts that it affects is even
less (many scripts won't be affected at all).
--
This message was sent by Atlassian JIRA
(v6.5-OD-08-001#65007)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
