[Bro] SMB2 module
Danilo Nicolò
dani.nicolo at gmail.com
Fri Mar 20 16:35:41 PDT 2015
Hi,
2015-03-20 20:27 GMT+01:00 Seth Hall <seth at icir.org>:
>
> > On Mar 20, 2015, at 3:08 PM, Vlad Grigorescu <vlad at grigorescu.org>
> wrote:
> >
> > Of course, the "better" solution would be to fix the system so that it
> can do reverse DNS lookups (and TXT queries for detect-MHR) :-)
>
At the line 35 of
/usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
script there's the function
lookup_addr(host)
that invoke DNS lookup, so I think definitely that the problem is in this
function.
> Another option here is to force Bro into a mode where it fakes DNS
> responses internally. Unfortunately there isn’t a switch to enable this in
> scripts, but you can change the behavior with an environment variable:
>
> BRO_DNS_FAKE=1 bro -r somepackets.pcap
>
I've tried to run bro with BRO_DNS_FAKE=1 env but unfortunately it didn't
work.
I've received the SIGSEV signal, below you can see the gdb log
Program received signal SIGSEGV, Segmentation fault.
0x000000000060a5d9 in SerializationFormat::WriteData (this=0x7ffff001b780,
b=b at entry=0x7fffff7ff03c, count=count at entry=2)
at /home/danko/bro_smb/bro/src/SerializationFormat.cc:87
87 memcpy(output + output_pos, b, count);
(gdb) p output
$1 = 0x7fff51d14010 "\001"
As Vlad as suggested to me, I'm going to disable these scripts and I'll let
you know asap.
Thank you so much.
Regards,
Danilo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150321/0de6842f/attachment-0001.html
More information about the Bro
mailing list