[Bro] udp event handlers not catching events
Johanna Amann
johanna at icir.org
Mon Dec 14 15:26:47 PST 2015
> I am analyzing a pcap which contains some UDP packets. I have redefined
> both "udp_content_deliver_all_orig" and "udp_content_deliver_all_resp" as
> true, but no events are caught by "udp_request", "upd_reply", and
> "udp_contents". However, I can use "packets_content" and "is_udp_port" to
> catch the udp communications.
Do you have a copy of the actual script that you are using?
Trying the following on try.bro.org with exercise_traffic.pcap seems to
work fine:
------
redef udp_content_deliver_all_orig=T;
redef udp_content_deliver_all_resp=T;
event udp_contents(u: connection, is_orig: bool, contents: string) {
print contents;
}
------
Johanna
More information about the Bro
mailing list