[Bro] Bro with PPPoE [was Re: HTTP not being seen]

James Lay jlay at slave-tothe-box.net
Mon Sep 16 10:08:08 PDT 2013


On 2013-09-16 10:52, Seth Hall wrote:
> On Sep 16, 2013, at 12:29 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>
>> /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro, 
>> line
>> 41: BroType::AsRecordType (table/record) (set[record { min:record {
>> major:count; minor:count; minor2:count; minor3:count; addl:string; 
>> };
>> max:record { major:count; minor:count; minor2:count; minor3:count;
>> addl:string; }; }])
>
>
> Your local.bro is probably using the old style for defining
> vulnerable software.  You could just comment that out for now.
>
>   .Seth

Thanks Seth...that did the trick.  Additionally I had to comment out:

@load protocols/http/detect-MHR
redef CaptureLoss::watch_interval = 1 min;


error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro, 
line 22: no such field in record (HTTP::rec?$md5)
error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro, 
line 24: no such field in record (HTTP::rec$md5)
error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro, 
line 31: no such field in record (HTTP::rec$md5)

error in 
/usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 
76: "redef" used but not previously defined 
(CaptureLoss::watch_interval)


I saw just one of these:
#types  time  string addr   port addr   port    string string   bool   
string
1379351003.903370   -   -   -  - -      
non_ip_packet_in_pppoe_encapsulation    -  F    bro

so it's working good...this REALLY helps me out when my ISP flakes out 
and ppp0 drops/reconnects.  Thanks Seth...also is there a spot that I 
can read about the "new" style for defines?  Thanks again.

James




More information about the Bro mailing list