[Bro] ssh alternative ports

Robin Gruyters r.gruyters at snow.nl
Wed Nov 12 01:50:29 PST 2008


Quoting rmkml <rmkml at free.fr>:

> Hi Robin,
> You do not export capture_filters ?
> Regards
> Rmkml
> Crusoe-Researches.com
> 
This is already exported by pcap.bro.

With kind regards,

Robin Gruyters



> On Wed, 12 Nov 2008, Robin Gruyters wrote:
> 
> > Date: Wed, 12 Nov 2008 09:23:32 +0100
> > From: Robin Gruyters <r.gruyters at snow.nl>
> > To: Robin Sommer <robin at icir.org>
> > Cc: bro at bro-ids.org, bro at ICSI.Berkeley.EDU
> > Subject: Re: [Bro] ssh alternative ports
> > 
> > Robin,
> >
> > Okay, I have attached a patch for ssh.bro, which includes exported
> ssh_ports and
> > ssh_log.
> >
> > With kind regards,
> >
> > Robin Gruyters
> >
> >
> > Quoting Robin Sommer <robin at icir.org>:
> >
> >>
> >> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote:
> >>
> >>> bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter
> >>> ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not
> >> previously defined
> >>
> >> You indeed need the SSH prefix. Using that, I get a different error
> >> message:
> >>
> >> # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter
> >> ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports
> >>
> >> Which is true: the id is not exported in ssh.bro and therefore
> >> can't be redefined (I think it should be exported though).
> >>
> >> Robin
> >>
> >> --
> >> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> >> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> >>
> >
> 



More information about the Bro mailing list