[Bro] three things

Robin Sommer robin at icir.org
Wed Jan 31 17:09:34 PST 2007


On Wed, Jan 31, 2007 at 14:03 -0600, Mike Dopheide wrote:

> I've spent quite a bit of time trying to get a regular expression to 
> match packet contents returned by udp_contents(). 

Just tried it with a DNS packet and this script works for me:

     redef udp_content_deliver_all_orig = T;

     event udp_contents(u: connection, is_orig: bool, contents: string)
     {
        print contents;
        print /.*bro-ids./ in contents;
     }


Output:
     
     /\xb8^A\0\0^A\0\0\0\0\0\0^Cwww^Gbro-ids^Corg\0\0^A\0^A
     T

Can you send me a trace and your script?

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list