[Bro] How to Set N-byte of Payload to be Processed by Bro?
vladg at illinois.edu
Wed Jul 6 09:41:09 PDT 2016
There's a variable you can redefine for this, snaplen. The module
that this variable is in changed from 2.4.1 to the current git master.
If you're on 2.4.1 or older, use "snaplen" otherwise use
"Pcap::snaplen". If running Bro in standalone mode, you can do something
> bro -i eth0 Pcap::snaplen=1024
Otherwise, you can add this to site/local.bro:
> redef Pcap::snaplen=1024;
One thing to note is that this only applies to capturing from live
interfaces, and not reading from PCAPs.
 - <https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#id-snaplen>
Hashem Alaidaros <aidaros.dev at gmail.com> writes:
> Hi everyone,
> I use signature framework in Bro. I want Bro to capture and processes only
> the first N-bytes of each packet received. In other words, only the first
> N-bytes will be compared with the signature.
> How to do that?
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160706/2895971d/attachment.bin
More information about the Bro