[Bro] Trouble with pppoe-traffic
Seth Hall
seth at corelight.com
Wed Sep 5 12:06:17 PDT 2018
What version of Bro are you running? In your pppoe_get2.pcap file Bro
2.5.3 worked fine for me. I got all of the files that I would expect.
The reason the other file didn't work is that your HTTP request in that
one doesn't have the TCP handshake and Bro's HTTP analyzer is sensitive
to not having the handshake. If the handshake is missing Bro will
currently not analyze the connection as HTTP.
.Seth
On 5 Sep 2018, at 5:31, Александр Кубышин wrote:
> Good day all,
>
> My IDS server receives mirrored traffic from the switch. In addition
> to classic traffic, I also see pppoe traffic.
> But the bro why does not recognize this traffic. What could be the
> problem?
>
> What kind of customization is needed for the bro to see this type of
> traffic?
>
> Here are links to samples of this traffic:
>
> * https://www.dropbox.com/s/2fdxpdxkv0pm31s/pppoe_get.pcap?dl=0
> * https://www.dropbox.com/s/jb6yazrfeydtrqm/pppoe_get2.pcap?dl=0
>
>
> --
> Alexander Kubyshin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/834061f6/attachment.html
More information about the Bro
mailing list