It strikes me that as Bro development marches on, package maintainers don't
have great choices in terms of maintaining compatibility with multiple Bro
versions. For JA3, to maintain compatibility, you have to do something like
this, due to the SSL event change:
@if ( Version::at_least("2.6") )
> event ssl_client_hello(c: connection, version: count, record_version:count,
> possible_ts: time, client_random: string, session_id: string, ciphers:
> index_vec, comp_methods: vector of count) &priority=1
> @else
> event ssl_client_hello(c: connection, version: count, possible_ts: time,
> client_random: string, session_id: string, ciphers: index_vec) &priority=1
> @endif
>
That works, but I worry that the overhead of trying to maintain that will
grow out of hand. I'm wondering if there's a better mechanism for this. A
naive approach might be to include an option in the package metadata, which
specifies minimum/maximum Bro versions that it requires. The installer,
then, would simply install the latest version that supports your Bro
version.
I don't want to overcomplicate things, but it does feel like there's a
mechanism that's currently missing.
Any other thoughts?
--Vlad
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
