[Bro] Trouble with pppoe-traffic

Seth Hall seth at corelight.com
Wed Sep 5 12:06:17 PDT 2018


What version of Bro are you running?  In your pppoe_get2.pcap file Bro 
2.5.3 worked fine for me.  I got all of the files that I would expect.  
The reason the other file didn't work is that your HTTP request in that 
one doesn't have the TCP handshake and Bro's HTTP analyzer is sensitive 
to not having the handshake.  If the handshake is missing Bro will 
currently not analyze the connection as HTTP.

   .Seth

On 5 Sep 2018, at 5:31, Александр Кубышин wrote:

> Good day all,
>
> My IDS server receives mirrored traffic from the switch. In addition 
> to classic traffic, I also see pppoe traffic.
> But the bro why does not recognize this traffic. What could be the 
> problem?
>
> What kind of customization is needed for the bro to see this type of 
> traffic?
>
> Here are links to samples of this traffic:
>
> *  https://www.dropbox.com/s/2fdxpdxkv0pm31s/pppoe_get.pcap?dl=0  
> *  https://www.dropbox.com/s/jb6yazrfeydtrqm/pppoe_get2.pcap?dl=0
>
>
> -- 
> Alexander Kubyshin


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/834061f6/attachment.html 


More information about the Bro mailing list