[Bro] Disabling an analyzer in weird
Jan Grashöfer
jan.grashoefer at gmail.com
Mon Mar 13 12:33:55 PDT 2017
Hi James,
> Well I gave it a shot...no go though:
>
> 1489425830.509505 CD8sYx3dttq6ynlg2c x.x.x.x 51132
> x.x.x.x 514 binpac exception: string mismatch at
> /home/build/bro-2.5/src/analyzer/protocol/syslog/syslog-protocol.pac:8:
> \x0aexpected pattern: "[[:digit:]]+"\x0aactual data:
> "<snip>x09MSWinEventLog\x091\x09Application\x09674838\x09Mon Mar 13
> 11:23:50 <snip> \x0a" - F worker-3-5
How did you customize the filter_weird function to match that line?
Looks like the name field also contains some context-dependent info, so
that you might need a regex. However, if you see a lot of this, it might
be a good idea to dig deeper into the analyzer. Can you provide a pcap
for testing?
Jan
More information about the Bro
mailing list