[Bro] three things
dopheide at ncsa.uiuc.edu
Wed Jan 31 16:01:44 PST 2007
Trace attached. You'll need to run bro with -C to ignore checksum errors.
Robin Sommer wrote:
> On Wed, Jan 31, 2007 at 14:03 -0600, Mike Dopheide wrote:
>> I've spent quite a bit of time trying to get a regular expression to
>> match packet contents returned by udp_contents().
> Just tried it with a DNS packet and this script works for me:
> redef udp_content_deliver_all_orig = T;
> event udp_contents(u: connection, is_orig: bool, contents: string)
> print contents;
> print /.*bro-ids./ in contents;
> Can you send me a trace and your script?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 14028 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070131/6772b7d1/attachment.obj
More information about the Bro