[Bro] invoking an analayzer without the default policy script?

Robin Sommer robin at icir.org
Thu Dec 6 05:12:24 PST 2007


On Wed, Dec 05, 2007 at 10:36 -0800, you wrote:

> I did have success by adding the following:
> 
> global dns_ports = { 53/udp, 53/tcp, 137/udp };
> redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };

Ah, sorry, I forgot that. Actually you need both, the right packet
filter and the dpd_config. As Christian noted, your packet filter
might already be right if you're not loading any other scripts
(because then Bro uses the default filter "tcp or udp or icmp").

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list