[Bro] invoking an analayzer without the default policy script?
Mike Wood
muscletot at gmail.com
Wed Dec 5 10:36:29 PST 2007
On 12/5/07, Robin Sommer <robin at icir.org> wrote:
>
> On Tue, Dec 04, 2007 at 15:43 -0800, Mike Wood wrote:
>
> > this dns_request handler does not get called unless I add
> >
> > @load dns
>
> Most likely you haven't set the capture filter to include DNS
> packets into the analysis. Try adding this to your script (which is
> from dns.bro):
>
> redef capture_filters += {
> ["dns"] = "port 53",
> ["netbios-ns"] = "udp port 137",
> };
I gave that a shot, but still didn't see any output.
I did have success by adding the following:
global dns_ports = { 53/udp, 53/tcp, 137/udp };
redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
(also from dns.bro), and that triggered my event handler for dns_request.
Note this seemed to work with and without redefining the capture filters.
Any ideas why this is the case? Particularly, am I only going to be
able implement my custom event handlers for analyzers that are part of
the DPD framework?
Many thanks,
Mike
More information about the Bro
mailing list