[Bro] Broadcast detection

anthony kasza anthony.kasza at gmail.com
Wed Aug 26 18:12:18 PDT 2015


I'm looking to write a bif which does this. How can I access a subnet's
prefix as an int? Here's what I have so far.

function get_broadcast%(snet: subnet%): addr
  %{
  return new AddrVal( snet->Prefix() + (snet->Width() - 1) );
  %}

-AK
On Aug 26, 2015 12:41 PM, "anthony kasza" <anthony.kasza at gmail.com> wrote:

> The following code feels like it should work, but the last print statement
> breaks it.
>
> local my_subnet: subnet = 1.1.1.1/8;
> print fmt("%s", my_subnet);
> print fmt("%s", |my_subnet|);
> print fmt("%s", my_subnet[ |my_subnet| ]);
>
> I don't believe there is currently a built in way to do what you want. Is
> there a way to convert a subnet to a vector of addr?
>
> -AK
> On Aug 26, 2015 10:50 AM, "Vito Logrillo" <vitologrillo at gmail.com> wrote:
>
>> Correct!
>> Any suggestion?
>>
>> 2015-08-26 16:17 GMT+02:00 anthony kasza <anthony.kasza at gmail.com>:
>> > Oh I see what you're saying. What you'd like is a function that takes a
>> > subnet as input and returns the broadcast address, correct?
>> >
>> > -AK
>> >
>> > On Aug 26, 2015 6:11 AM, "Vito Logrillo" <vitologrillo at gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >> thanks for your reply.
>> >> What i'm trying to do is to create a flag if an ip broadcast is found.
>> >> For example, in networks.cfg i've written this subnet
>> >> 172.20.1.0/24
>> >> It's broadcast address is 172.20.1.255.
>> >> I can read all subnets written in networks.cfg with the variable
>> >> Site::local_nets_table: to calculate the ip broadcast i can use this
>> >> method
>> >> https://en.wikipedia.org/wiki/Broadcast_address
>> >> What i'm not able to do is to transform a subnet variable (in this
>> >> case 172.20.1.0/24) into an ip variable (172.20.1.0) plus a count
>> >> (24).
>> >> Any suggestion?
>> >> Thanks
>> >> Vito
>> >>
>> >> 2015-08-25 19:39 GMT+02:00 Swan, Jay <jswan at sugf.com>:
>> >> > One way would be to check the packet destination against the IP
>> >> > multicast range:
>> >> >
>> >> > global mcast = 224.0.0.0/4;
>> >> > global bcast = 255.255.255.255;
>> >> > event new_packet(c:connection,p:pkt_hdr) {
>> >> >     if (c$id$resp_h in mcast || c$id$resp_h == bcast)
>> >> >         print "mutlicast or broadcast found";
>> >> > }
>> >> >
>> >> > You wouldn't want to use the new_packet event of course.
>> >> >
>> >> > -----Original Message-----
>> >> > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
>> Vito
>> >> > Logrillo
>> >> > Sent: Tuesday, August 25, 2015 9:41 AM
>> >> > To: bro at bro.org
>> >> > Subject: [Bro] Broadcast detection
>> >> >
>> >> > Hi all,
>> >> > i want to flag if a given ip is an ip broadcast/multicast or not:
>> >> > there are some built-in functions able to recognize an ip broadcast
>> in
>> >> > Bro?
>> >> > Thanks,
>> >> > Vito
>> >> > _______________________________________________
>> >> > Bro mailing list
>> >> > bro at bro-ids.org
>> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >> >
>> >> > _______________________________________________
>> >> > Bro mailing list
>> >> > bro at bro-ids.org
>> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150826/6d2f6724/attachment.html 


More information about the Bro mailing list