[Bro] How to Set N-byte of Payload to be Processed by Bro?
Vlad Grigorescu
vladg at illinois.edu
Wed Jul 6 09:41:09 PDT 2016
Hi,
There's a variable you can redefine for this, snaplen[1]. The module
that this variable is in changed from 2.4.1 to the current git master.
If you're on 2.4.1 or older, use "snaplen" otherwise use
"Pcap::snaplen". If running Bro in standalone mode, you can do something
like:
> bro -i eth0 Pcap::snaplen=1024
Otherwise, you can add this to site/local.bro:
> redef Pcap::snaplen=1024;
One thing to note is that this only applies to capturing from live
interfaces, and not reading from PCAPs.
--Vlad
[1] - <https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#id-snaplen>
Hashem Alaidaros <aidaros.dev at gmail.com> writes:
> Hi everyone,
> I use signature framework in Bro. I want Bro to capture and processes only
> the first N-bytes of each packet received. In other words, only the first
> N-bytes will be compared with the signature.
> How to do that?
> Aidaros
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160706/2895971d/attachment.bin
More information about the Bro
mailing list