[Bro] Broadcast detection

Vito Logrillo vitologrillo at gmail.com
Wed Aug 26 06:02:36 PDT 2015


Hi,
thanks for your reply.
What i'm trying to do is to create a flag if an ip broadcast is found.
For example, in networks.cfg i've written this subnet
172.20.1.0/24
It's broadcast address is 172.20.1.255.
I can read all subnets written in networks.cfg with the variable
Site::local_nets_table: to calculate the ip broadcast i can use this
method
https://en.wikipedia.org/wiki/Broadcast_address
What i'm not able to do is to transform a subnet variable (in this
case 172.20.1.0/24) into an ip variable (172.20.1.0) plus a count
(24).
Any suggestion?
Thanks
Vito

2015-08-25 19:39 GMT+02:00 Swan, Jay <jswan at sugf.com>:
> One way would be to check the packet destination against the IP multicast range:
>
> global mcast = 224.0.0.0/4;
> global bcast = 255.255.255.255;
> event new_packet(c:connection,p:pkt_hdr) {
>     if (c$id$resp_h in mcast || c$id$resp_h == bcast)
>         print "mutlicast or broadcast found";
> }
>
> You wouldn't want to use the new_packet event of course.
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vito Logrillo
> Sent: Tuesday, August 25, 2015 9:41 AM
> To: bro at bro.org
> Subject: [Bro] Broadcast detection
>
> Hi all,
> i want to flag if a given ip is an ip broadcast/multicast or not:
> there are some built-in functions able to recognize an ip broadcast in Bro?
> Thanks,
> Vito
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list