[Bro] Add a counter in a script (arp_main.bro)
Nicolas KRASINSKI
krasinski at cines.fr
Mon Jul 30 08:25:01 PDT 2018
Hello,
On the script arp_main.bro ( https://gist.github.com/grigorescu/a28b814a8fb626e2a7b4715d278198aa ),
there is a part of code (line 216 to 228) can detect gratuitous arp (multiple is-at packet) :
-----------------------------------------------------------------------------
# Check if reply is unsolicited and get request record
local request: Info;
if ( [THA, TPA, SPA] !in arp_state$requests ) {
request = new_arp_request(THA, SHA);
request$unsolicited = T;
NOTICE([$note=Unsolicited_Reply, $src=SPA, $msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]);
} else {
request = arp_state$requests[THA, TPA, SPA];
delete arp_state$requests[THA, TPA, SPA];
}
request$is_at = SHA;
-----------------------------------------------------------------------------
The problem is each time the script detect more than one arp packet (is-at), it send an alert : "unsolicited_reply"
I would like to add a counter, after x 'is-at' packet, send an alert.
Someone can help me ?
sorry for my english
thanks à lot!
Nicolas.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180730/77953a22/attachment.html
More information about the Bro
mailing list