[Bro] Follow up on invoking the "protocol_confirmation" event

Earl Eiland earl.eiland at root9b.com
Wed Jul 15 05:57:31 PDT 2015

I'll see what I can do; our data is not public.  Can ICIR execute an NDA?  

I can say that the MODBUS-specific logs (modbus, known_modbus and modbus_register_change) seem to be generated properly, and that Wireshark labels the traffic correctly.


-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Wednesday, July 15, 2015 7:48 AM
To: Earl Eiland
Cc: Johanna Amann; bro at bro.org
Subject: Re: [Bro] Follow up on invoking the "protocol_confirmation" event

On Jul 15, 2015, at 8:19 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
> It appears that for whatever reason, there may still be a disconnect between the MODBUS analyzer and ProtocolConfirmation().

The best option at this point would be to give us a small sample of the traffic that isn’t working correctly for you.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list