[Bro] three things
Mike Dopheide
dopheide at ncsa.uiuc.edu
Thu Feb 1 20:08:56 PST 2007
The packet you have printed is part of a DNS request (I think). I've
been having problems specifically with the kerberos AS_REQ packets also
included in the trace file that apparently have different special
characters. (I apologize if that wasn't clear.)
Instead of:
udp_content_deliver_all_orig = T;
Try:
redef udp_content_delivery_ports_orig = { [88/udp] = T };
redef udp_content_delivery_ports_resp = { [88/udp] = T };
event udp_contents(u: connection, is_orig: bool, contents: string)
{
local mystring: string = sub_bytes(contents,47,(number+8-47));
print dop, fmt("%s",mystring);
if(mystring == /.*NCSA.*/ ){
print dop, fmt("YAY");
}
}
I'm expecting your output to be:
dopheide\xa2^J\x1b^HNCSA.EDU
afsman\xa2^J\x1b^HNCSA.EDU
Rather than:
dopheide\xa2^J\x1b^HNCSA.EDU
YAY
afsman\xa2^J\x1b^HNCSA.EDU
YAY
-Mike
Robin Sommer wrote:
> On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote:
>
>> Trace attached. You'll need to run bro with -C to ignore checksum errors.
>
> Works for me:
>
> \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A
> T
>
> With this script again:
>
> redef udp_content_deliver_all_orig = T;
>
> event udp_contents(u: connection, is_orig: bool, contents: string)
> {
> print contents;
> print /NCSA/ in contents;
> }
>
> So, how does your script look like?
>
> Robin
>
More information about the Bro
mailing list