[Bro] modifying bro.init

daniela.miao at utoronto.ca daniela.miao at utoronto.ca
Thu Feb 4 17:32:03 PST 2010


Hi Seth,

That worked great, thanks a lot! But it seems that I shouldn't simply  
ignore the checksum errors, since now it's giving me an "unrecognized  
character" error.

Can I somehow log the checksum error but at least let the parser parse  
it anyways?

Thanks,

Daniela

Quoting Seth Hall <hall.692 at osu.edu>:

>
> On Feb 3, 2010, at 9:55 PM, daniela.miao at utoronto.ca wrote:
>
>> Thanks for your help before. I found that the DNS parser was giving me
>> trouble due to many of the IP checksum errors. I don't really care
>> much about these errors anyways.
>
> Ah, that trips up everyone eventually I think. :)
>
>> I understand the boolean value of ignore_checksum is set to False in
>> bro.init, do I just modify this file?
>
> Nope, you don't modify the bro.init script.  See below.
>
>> I apologize if the issue seems trivial, I'm just starting to get the
>> hang of the language.
>
>
> You have two options.
>
> Either in a script you write and load on the command line...
> redef ignore_checksum=T;
>
> or run Bro this way....
> bro -r test.pcap dns ignore_checksum=T
>
> Feel free to ask more questions!
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721







More information about the Bro mailing list