[Bro] SMB2 module
dani.nicolo at gmail.com
Mon Mar 23 03:07:15 PDT 2015
Sorry, I've to rectify my latest reply: inserting the environment variable
BRO_DNS_FAKE Bro seems to work now.
I've tried also to disable the affected scripts and Bro works too.
I'm little confused about the different behavior: if I set BRO_DNS_FAKE=1,
Will dns logs be altered significantly?
Thank you so much.
2015-03-21 0:35 GMT+01:00 Danilo Nicolò <dani.nicolo at gmail.com>:
> 2015-03-20 20:27 GMT+01:00 Seth Hall <seth at icir.org>:
>> > On Mar 20, 2015, at 3:08 PM, Vlad Grigorescu <vlad at grigorescu.org>
>> > Of course, the "better" solution would be to fix the system so that it
>> can do reverse DNS lookups (and TXT queries for detect-MHR) :-)
> At the line 35 of
> script there's the function
> that invoke DNS lookup, so I think definitely that the problem is in this
>> Another option here is to force Bro into a mode where it fakes DNS
>> responses internally. Unfortunately there isn’t a switch to enable this in
>> scripts, but you can change the behavior with an environment variable:
>> BRO_DNS_FAKE=1 bro -r somepackets.pcap
> I've tried to run bro with BRO_DNS_FAKE=1 env but unfortunately it didn't
> I've received the SIGSEV signal, below you can see the gdb log
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000060a5d9 in SerializationFormat::WriteData (this=0x7ffff001b780,
> b=b at entry=0x7fffff7ff03c, count=count at entry=2)
> at /home/danko/bro_smb/bro/src/SerializationFormat.cc:87
> 87 memcpy(output + output_pos, b, count);
> (gdb) p output
> $1 = 0x7fff51d14010 "\001"
> As Vlad as suggested to me, I'm going to disable these scripts and I'll
> let you know asap.
> Thank you so much.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro