[Bro] Comparing file details and connection details at the same time
John B. Althouse III
sudo.darkstar at gmail.com
Fri Jan 13 11:11:33 PST 2017
Thanks Keith! For anyone else asking the same question; fa_file contains
conns which holds the connection details in table format. Example:
event x509_certificate(f: fa_file , cert_ref: opaque of x509 , cert:
X509::Certificate ) { for ( cid in f$conns ) { if ( cid$resp_h == 10.0.0.1
) ect..
On Fri, Jan 13, 2017 at 9:40 AM, Seth Hall <seth at icir.org> wrote:
>
> > On Jan 12, 2017, at 7:13 PM, Keith Lehigh <klehigh at iu.edu> wrote:
> >
> > The “misc/dump-events” script is invaluable for examining packet
> captures to figure out what events fire and what data is available for a
> given event.
>
> There is one small caveat to this too. If an event isn't handled by an
> existing script, that event won't be generated and won't show up in the
> output from the dump-events script. In many cases this all works out ok,
> but I wanted to point it out to save someone a headache trying to figure
> out why an event isn't being generated.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170113/1e109fd3/attachment.html
More information about the Bro
mailing list