[Bro] How to Set N-byte of Payload to be Processed by Bro?

Vlad Grigorescu vladg at illinois.edu
Wed Jul 6 09:41:09 PDT 2016


There's a variable you can redefine for this, snaplen[1]. The module
that this variable is in changed from 2.4.1 to the current git master.
If you're on 2.4.1 or older, use "snaplen" otherwise use
"Pcap::snaplen". If running Bro in standalone mode, you can do something

> bro -i eth0 Pcap::snaplen=1024

Otherwise, you can add this to site/local.bro:

> redef Pcap::snaplen=1024;

One thing to note is that this only applies to capturing from live
interfaces, and not reading from PCAPs.


[1] - <https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#id-snaplen>

Hashem Alaidaros <aidaros.dev at gmail.com> writes:

> Hi everyone,
> I use signature framework in Bro. I want Bro to capture and processes only
> the first N-bytes of each packet received. In other words, only the first
> N-bytes will be compared with the signature.
> How to do that?
> Aidaros
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160706/2895971d/attachment.bin 

More information about the Bro mailing list