[Bro] Hui Lin_Enable Protocol Analyzer in Bro bare mode
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Jun 25 14:19:26 PDT 2012
> I also like to use a Syslog analyzer to analyze syslog_message event. I define syslog_message event in my own script, but this event handler is not executed under bare mode? I am wondering what scripts should be loaded to enable Syslog analyzer.
You could "@load base/protocols/syslog" to enable the analyzer at least for UDP port 514 traffic. Or you could just "redef dpd_config" like base/protocols/syslog/main.bro does for the ports you need. Not sure if a DPD signature could/should be added for syslog so that would not be necessary, Seth would probably have an idea.
More information about the Bro