[Bro] Follow up on invoking the "protocol_confirmation" event
Earl Eiland
earl.eiland at root9b.com
Wed Jul 15 06:40:07 PDT 2015
That's certainly worth a try. How do I access this?
Earl
-----Original Message-----
From: Slagell, Adam J [mailto:slagell at illinois.edu]
Sent: Wednesday, July 15, 2015 8:03 AM
To: Earl Eiland
Cc: Seth Hall; bro at bro.org
Subject: Re: [Bro] Follow up on invoking the "protocol_confirmation" event
New did write a simple anonymizer for a power company to share traces with us that you could use. Of course then it isn't exactly the same data anymore.
> On Jul 15, 2015, at 7:59 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>
> I'll see what I can do; our data is not public. Can ICIR execute an NDA?
>
> I can say that the MODBUS-specific logs (modbus, known_modbus and modbus_register_change) seem to be generated properly, and that Wireshark labels the traffic correctly.
>
> Earl
>
> -----Original Message-----
> From: Seth Hall [mailto:seth at icir.org]
> Sent: Wednesday, July 15, 2015 7:48 AM
> To: Earl Eiland
> Cc: Johanna Amann; bro at bro.org
> Subject: Re: [Bro] Follow up on invoking the "protocol_confirmation" event
>
>> On Jul 15, 2015, at 8:19 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>>
>> It appears that for whatever reason, there may still be a disconnect between the MODBUS analyzer and ProtocolConfirmation().
>
>
> The best option at this point would be to give us a small sample of the traffic that isn't working correctly for you.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list