[Bro] Broadcast detection

Vito Logrillo vitologrillo at gmail.com
Wed Aug 26 10:48:03 PDT 2015 

Correct!
Any suggestion?

2015-08-26 16:17 GMT+02:00 anthony kasza <anthony.kasza at gmail.com>:
> Oh I see what you're saying. What you'd like is a function that takes a
> subnet as input and returns the broadcast address, correct?
>
> -AK
>
> On Aug 26, 2015 6:11 AM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:
>>
>> Hi,
>> thanks for your reply.
>> What i'm trying to do is to create a flag if an ip broadcast is found.
>> For example, in networks.cfg i've written this subnet
>> 172.20.1.0/24
>> It's broadcast address is 172.20.1.255.
>> I can read all subnets written in networks.cfg with the variable
>> Site::local_nets_table: to calculate the ip broadcast i can use this
>> method
>> https://en.wikipedia.org/wiki/Broadcast_address
>> What i'm not able to do is to transform a subnet variable (in this
>> case 172.20.1.0/24) into an ip variable (172.20.1.0) plus a count
>> (24).
>> Any suggestion?
>> Thanks
>> Vito
>>
>> 2015-08-25 19:39 GMT+02:00 Swan, Jay <jswan at sugf.com>:
>> > One way would be to check the packet destination against the IP
>> > multicast range:
>> >
>> > global mcast = 224.0.0.0/4;
>> > global bcast = 255.255.255.255;
>> > event new_packet(c:connection,p:pkt_hdr) {
>> >     if (c$id$resp_h in mcast || c$id$resp_h == bcast)
>> >         print "mutlicast or broadcast found";
>> > }
>> >
>> > You wouldn't want to use the new_packet event of course.
>> >
>> > -----Original Message-----
>> > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vito
>> > Logrillo
>> > Sent: Tuesday, August 25, 2015 9:41 AM
>> > To: bro at bro.org
>> > Subject: [Bro] Broadcast detection
>> >
>> > Hi all,
>> > i want to flag if a given ip is an ip broadcast/multicast or not:
>> > there are some built-in functions able to recognize an ip broadcast in
>> > Bro?
>> > Thanks,
>> > Vito
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list