[Bro] How filter machine name registration?
vitologrillo at gmail.com
Mon Oct 27 01:55:43 PDT 2014
Thanks for your reply,
i'll try to explain my problem better.
I'm trying to log all netbios service name registration: as you have
suggested, i've filtered dns traffic on 137/udp port and used a filter for
a specific opcode (Netbios_registration == 5).
In this way, i'm able to log all netbios registrations, but i'm not able to
discern a group name registration from an unique name registration.
Using wireshark, i find this information in an additional record that i
can't see in bro.
For example, using this event
event dns_request (c:connection, msg: dns_msg, query: string, qtype: count,
I can see the presence of an additional record in the packet (msg$num_addl
=1), but i can't see its value.
How can i do in Bro?
2014-10-23 15:52 GMT+02:00 Seth Hall <seth at icir.org>:
> On Oct 23, 2014, at 8:16 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
> > How can i filter netbios name service registration?
> It all shows up in dns.log and you are given access to it through the
> various DNS events. Could you describe what you are trying to accomplish?
> Providing a packet capture and describing what you want to get out of it
> would be the most useful.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro