[Bro] Partial tcpdump traces

[Danny Nechay]

Hi,

I have a trickier question than last time. I am inputting into Bro partial
tcpdump traces (by using the -s option in tcpdump - I am now getting only
the first 100 bytes of a packet instead of the full packet). The problem
though is that in Bro it seems to discard the entire payload. Is there any
way to force Bro to keep the payload? This is a problem as since it is
discarding the payload any signature that does a payload match does not work
anymore. For a tcpdump trace that has the entire payload this does not occur
as it keeps the payload then and finds the proper signature.

As an example, in the following snippet of code, the event only prints the
payload when a full tcpdump trace is given.

# http://osdir.com/ml/security.detection.bro/2004-07/msg00013.html
@load site
@load snort
@load weird
@load alarm

redef signature_files += "sigs/test.sig";

event signature_match(state: signature_state, msg: string, data: string)
{
# Note: data is the payload. Example: print fmt("%s", data);

print fmt("Print payload:\n%s", data);
}

Any suggestions?
Thanks.

Daniel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080421/5bd9fa63/attachment.html