[Bro] Broadcast detection
Swan, Jay
jswan at sugf.com
Tue Aug 25 10:39:58 PDT 2015
One way would be to check the packet destination against the IP multicast range:
global mcast = 224.0.0.0/4;
global bcast = 255.255.255.255;
event new_packet(c:connection,p:pkt_hdr) {
if (c$id$resp_h in mcast || c$id$resp_h == bcast)
print "mutlicast or broadcast found";
}
You wouldn't want to use the new_packet event of course.
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vito Logrillo
Sent: Tuesday, August 25, 2015 9:41 AM
To: bro at bro.org
Subject: [Bro] Broadcast detection
Hi all,
i want to flag if a given ip is an ip broadcast/multicast or not:
there are some built-in functions able to recognize an ip broadcast in Bro?
Thanks,
Vito
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list