[Bro] type conversion
vern at icir.org
Wed May 4 13:31:43 PDT 2005
> Hi Vern,
> I am monitoring the pm_getport event. If a suspicious remote host sends a
> reqest to the monitored server and successfully get the port # of a specific
> rpc service, I would like to track all incoming traffic to this
> service. I need
> the port # of the service for this purpose.
The way to get it is to define your own pm_request_getport event handler
(you can do this in addition to the normal one). See portmapper.bro
for how the default one works, from which you should be able to derive
an additional handler to do what you want.
More information about the Bro