[Bro] three things
Robin Sommer
robin at icir.org
Wed Jan 31 17:09:34 PST 2007
On Wed, Jan 31, 2007 at 14:03 -0600, Mike Dopheide wrote:
> I've spent quite a bit of time trying to get a regular expression to
> match packet contents returned by udp_contents().
Just tried it with a DNS packet and this script works for me:
redef udp_content_deliver_all_orig = T;
event udp_contents(u: connection, is_orig: bool, contents: string)
{
print contents;
print /.*bro-ids./ in contents;
}
Output:
/\xb8^A\0\0^A\0\0\0\0\0\0^Cwww^Gbro-ids^Corg\0\0^A\0^A
T
Can you send me a trace and your script?
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list