[Bro-Dev] [Bro_Configuration]Problem with RPC Analyzer
Zakaria Hili
zakahili at gmail.com
Tue Jan 5 23:52:30 PST 2016
Hello,
I am working on a sniffer based on bro (for educational purpose) and I am
facing problems with the RPC Analyzer configuration.
In fact it is not activated by default on Bro:
Todo
Bro’s current default configuration does not activate the protocol analyzer
that generates thisevent; the corresponding script has not yet been ported
to Bro 2.x. To still enable this event, one needs to register a port for it
or add a DPD payload signature.
with regard to this Todo section in the Bro::RPC analyzer, i tried to
register a port for rpc and nfs with the following script:
const ports = {111/tcp, 111/udp, 747/udp, 759/tcp, 762/udp, 764/tcp,
2049/udp};
redef likely_server_ports += {ports};
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, ports);
}
event nfs_proc_getattr(c: connection, info: NFS3::info_t, fh: string,
attrs: NFS3::fattr_t){
print "hi";
}
but I have got this error:
944207397.280000 internal error: unknown analyzer name RPC; mismatch with
tag analyzer::Component?
Please could you help me with any hint to undrestand what I am supposed to
do.
Thank you in advance.
Best Regards,
Zakaria
ᐧ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160106/148033bd/attachment.html
More information about the bro-dev
mailing list