[Bro] Broadcast detection
anthony kasza
anthony.kasza at gmail.com
Wed Aug 26 07:17:56 PDT 2015
Oh I see what you're saying. What you'd like is a function that takes a
subnet as input and returns the broadcast address, correct?
-AK
On Aug 26, 2015 6:11 AM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:
> Hi,
> thanks for your reply.
> What i'm trying to do is to create a flag if an ip broadcast is found.
> For example, in networks.cfg i've written this subnet
> 172.20.1.0/24
> It's broadcast address is 172.20.1.255.
> I can read all subnets written in networks.cfg with the variable
> Site::local_nets_table: to calculate the ip broadcast i can use this
> method
> https://en.wikipedia.org/wiki/Broadcast_address
> What i'm not able to do is to transform a subnet variable (in this
> case 172.20.1.0/24) into an ip variable (172.20.1.0) plus a count
> (24).
> Any suggestion?
> Thanks
> Vito
>
> 2015-08-25 19:39 GMT+02:00 Swan, Jay <jswan at sugf.com>:
> > One way would be to check the packet destination against the IP
> multicast range:
> >
> > global mcast = 224.0.0.0/4;
> > global bcast = 255.255.255.255;
> > event new_packet(c:connection,p:pkt_hdr) {
> > if (c$id$resp_h in mcast || c$id$resp_h == bcast)
> > print "mutlicast or broadcast found";
> > }
> >
> > You wouldn't want to use the new_packet event of course.
> >
> > -----Original Message-----
> > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Vito Logrillo
> > Sent: Tuesday, August 25, 2015 9:41 AM
> > To: bro at bro.org
> > Subject: [Bro] Broadcast detection
> >
> > Hi all,
> > i want to flag if a given ip is an ip broadcast/multicast or not:
> > there are some built-in functions able to recognize an ip broadcast in
> Bro?
> > Thanks,
> > Vito
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150826/b0baf3c9/attachment.html
More information about the Bro
mailing list