[Bro] Partial tcpdump traces
Robin Sommer
robin at icir.org
Wed Apr 23 12:27:34 PDT 2008
On Wed, Apr 23, 2008 at 02:18 -0400, you wrote:
> could you possibly point me towards which files or functions I should look
> at to get rid of these sanity checks?
The one I found is this snippet in TCP.cc:
if ( len > 0 && (caplen >= len || packet_children.size()) &&
! flags.RST() && ! Skipping() )
need_contents = DeliverData(t, data, len, caplen, ip, tp,
endpoint, base_seq,
is_orig, flags);
The condition "caplen >= len" prevents Bro from passing the payload
on. However, just removing this still doesn't get the data to the
signature engine so there must be more such checks at other places
(to check whether the sig engine sees the data, you can configure
with --enable-debug and then run Bro with "-B rules"; that outputs
some debugging info into debug.log; your payload should show up in
there).
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list