[Bro] Bro with PPPoE [was Re: HTTP not being seen]
James Lay
jlay at slave-tothe-box.net
Mon Sep 16 10:08:08 PDT 2013
On 2013-09-16 10:52, Seth Hall wrote:
> On Sep 16, 2013, at 12:29 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro,
>> line
>> 41: BroType::AsRecordType (table/record) (set[record { min:record {
>> major:count; minor:count; minor2:count; minor3:count; addl:string;
>> };
>> max:record { major:count; minor:count; minor2:count; minor3:count;
>> addl:string; }; }])
>
>
> Your local.bro is probably using the old style for defining
> vulnerable software. You could just comment that out for now.
>
> .Seth
Thanks Seth...that did the trick. Additionally I had to comment out:
@load protocols/http/detect-MHR
redef CaptureLoss::watch_interval = 1 min;
error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro,
line 22: no such field in record (HTTP::rec?$md5)
error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro,
line 24: no such field in record (HTTP::rec$md5)
error in /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro,
line 31: no such field in record (HTTP::rec$md5)
error in
/usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro, line
76: "redef" used but not previously defined
(CaptureLoss::watch_interval)
I saw just one of these:
#types time string addr port addr port string string bool
string
1379351003.903370 - - - - -
non_ip_packet_in_pppoe_encapsulation - F bro
so it's working good...this REALLY helps me out when my ISP flakes out
and ppp0 drops/reconnects. Thanks Seth...also is there a spot that I
can read about the "new" style for defines? Thanks again.
James
More information about the Bro
mailing list