[Bro] three things

Robin Sommer robin at icir.org
Wed Jan 31 17:09:34 PST 2007

On Wed, Jan 31, 2007 at 14:03 -0600, Mike Dopheide wrote:

> I've spent quite a bit of time trying to get a regular expression to 
> match packet contents returned by udp_contents(). 

Just tried it with a DNS packet and this script works for me:

     redef udp_content_deliver_all_orig = T;

     event udp_contents(u: connection, is_orig: bool, contents: string)
        print contents;
        print /.*bro-ids./ in contents;


Can you send me a trace and your script?


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list