[Bro] Follow up on invoking the "protocol_confirmation" event
Earl Eiland
earl.eiland at root9b.com
Wed Jul 15 05:57:31 PDT 2015
I'll see what I can do; our data is not public. Can ICIR execute an NDA?
I can say that the MODBUS-specific logs (modbus, known_modbus and modbus_register_change) seem to be generated properly, and that Wireshark labels the traffic correctly.
Earl
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Wednesday, July 15, 2015 7:48 AM
To: Earl Eiland
Cc: Johanna Amann; bro at bro.org
Subject: Re: [Bro] Follow up on invoking the "protocol_confirmation" event
On Jul 15, 2015, at 8:19 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>
> It appears that for whatever reason, there may still be a disconnect between the MODBUS analyzer and ProtocolConfirmation().
The best option at this point would be to give us a small sample of the traffic that isn’t working correctly for you.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list