[Bro] three things
Mike Dopheide
dopheide at ncsa.uiuc.edu
Wed Jan 31 16:01:44 PST 2007
Trace attached. You'll need to run bro with -C to ignore checksum errors.
-Mike
Robin Sommer wrote:
> On Wed, Jan 31, 2007 at 14:03 -0600, Mike Dopheide wrote:
>
>> I've spent quite a bit of time trying to get a regular expression to
>> match packet contents returned by udp_contents().
>
> Just tried it with a DNS packet and this script works for me:
>
> redef udp_content_deliver_all_orig = T;
>
> event udp_contents(u: connection, is_orig: bool, contents: string)
> {
> print contents;
> print /.*bro-ids./ in contents;
> }
>
>
> Output:
>
> /\xb8^A\0\0^A\0\0\0\0\0\0^Cwww^Gbro-ids^Corg\0\0^A\0^A
> T
>
> Can you send me a trace and your script?
>
> Robin
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace2.out
Type: application/octet-stream
Size: 14028 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070131/6772b7d1/attachment.obj
More information about the Bro
mailing list