[Bro] [bro] Finding specific protocols
James Lay
jlay at slave-tothe-box.net
Fri Nov 4 10:58:11 PDT 2016
On 2016-11-04 10:34, Tim Desrochers wrote:
> Is there something in Bro that will identify protocol 47, GRE tunnels.
> I see a tunnel log and conn_service_name fields that show teredo
> tunnels, but is there anything I can search to find specific GRE
> tunnels?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
I'm trying to get this to work with protosigs, but not having much luck
matching:
signature protosig_gre {
header ip[10] == 47
event "match"
}
signature protosig_gre {
header ip[10:1] == 47
event "match"
}
so far no luck ...byte 10 in the IP header should work...still digging:
https://www.cloudshark.org/captures/000721f1edfb
James
More information about the Bro
mailing list