[Bro] IGMP analyzer
Vern Paxson
vern at icir.org
Wed Jul 23 15:18:29 PDT 2008
> I am having trace file containg an attack related to bid 514.
Can you send it?
> snort is showing up but the converted snort2bro rule
> signature s2b-273-8 {
> header ip[9:1] == 2
> event "DOS IGMP dos attack sid 1:273:8 bid 514;"
> header ip[6:1] & 224 == 32
> }
Note, we don't term this an IGMP *analyzer*, just an imported Snort rule.
We don't support such rules other than in terms of fixing problems they
exhibit that are due to Bro's underlying signature-matcher. (That is, we
don't vouch for the Snort rules, nor try to clean them up, nor support the
snort2bro translation utility.)
Vern
More information about the Bro
mailing list