[Bro] Broadcast detection

anthony kasza anthony.kasza at gmail.com
Wed Aug 26 12:41:54 PDT 2015 

The following code feels like it should work, but the last print statement
breaks it.

local my_subnet: subnet = 1.1.1.1/8;
print fmt("%s", my_subnet);
print fmt("%s", |my_subnet|);
print fmt("%s", my_subnet[ |my_subnet| ]);

I don't believe there is currently a built in way to do what you want. Is
there a way to convert a subnet to a vector of addr?

-AK
On Aug 26, 2015 10:50 AM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:

> Correct!
> Any suggestion?
>
> 2015-08-26 16:17 GMT+02:00 anthony kasza <anthony.kasza at gmail.com>:
> > Oh I see what you're saying. What you'd like is a function that takes a
> > subnet as input and returns the broadcast address, correct?
> >
> > -AK
> >
> > On Aug 26, 2015 6:11 AM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:
> >>
> >> Hi,
> >> thanks for your reply.
> >> What i'm trying to do is to create a flag if an ip broadcast is found.
> >> For example, in networks.cfg i've written this subnet
> >> 172.20.1.0/24
> >> It's broadcast address is 172.20.1.255.
> >> I can read all subnets written in networks.cfg with the variable
> >> Site::local_nets_table: to calculate the ip broadcast i can use this
> >> method
> >> https://en.wikipedia.org/wiki/Broadcast_address
> >> What i'm not able to do is to transform a subnet variable (in this
> >> case 172.20.1.0/24) into an ip variable (172.20.1.0) plus a count
> >> (24).
> >> Any suggestion?
> >> Thanks
> >> Vito
> >>
> >> 2015-08-25 19:39 GMT+02:00 Swan, Jay <jswan at sugf.com>:
> >> > One way would be to check the packet destination against the IP
> >> > multicast range:
> >> >
> >> > global mcast = 224.0.0.0/4;
> >> > global bcast = 255.255.255.255;
> >> > event new_packet(c:connection,p:pkt_hdr) {
> >> >     if (c$id$resp_h in mcast || c$id$resp_h == bcast)
> >> >         print "mutlicast or broadcast found";
> >> > }
> >> >
> >> > You wouldn't want to use the new_packet event of course.
> >> >
> >> > -----Original Message-----
> >> > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Vito
> >> > Logrillo
> >> > Sent: Tuesday, August 25, 2015 9:41 AM
> >> > To: bro at bro.org
> >> > Subject: [Bro] Broadcast detection
> >> >
> >> > Hi all,
> >> > i want to flag if a given ip is an ip broadcast/multicast or not:
> >> > there are some built-in functions able to recognize an ip broadcast in
> >> > Bro?
> >> > Thanks,
> >> > Vito
> >> > _______________________________________________
> >> > Bro mailing list
> >> > bro at bro-ids.org
> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >> >
> >> > _______________________________________________
> >> > Bro mailing list
> >> > bro at bro-ids.org
> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150826/5d1f01a1/attachment.html

More information about the Bro mailing list