Hi,
i’m trying to use BRO to analyze data based on NetBIOS protocol: i’m using BRO 2.3.1.
I’ve made a small script with these lines:
…snippet…
const NetBIOSports = { 138/udp, 139/tcp, 445/tcp};
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NETBIOSSSN,NetBIOSports);
}
…
Below you can see my stderr.log:
Internal error: unknown analyzer name NETBIOS; mismatch with tag analyzer::Component?
What does it mean?
Another question: SMB2.0 protocol is supported by BRO or not?
Thanks,
Vito
i'm trying to use BRO to analyze data based on NetBIOS protocol: i'm using BRO 2.3.1.
SMB support in 2.3.1 (and earlier) is broken and wildly incomplete.
Another question: SMB2.0 protocol is supported by BRO or not?
It should be moderately supported in 2.4. Broala has contributed an SMB (1+2) analyzer and it should be in 2.4.
.Seth
Hi Seth,
thanks for your support: about NetBIOS, do you have any suggestion? What’s wrong?
Vito
I don't know about the problem you're encountering, but I believe that even if you got the analyzer attached it wouldn't do much for you.
.Seth
Sorry Seth,
but i don’t understand your answer: what you mean with “… I believe that even if you got the analyzer attached it wouldn’t do much for you”?
Because i want to analyze and decode all NetBIOS traffic, with the help of google and your useful mailing list i’ve wrote a test script like this:
…snippet…
const NetBIOSports = { 138/udp, 139/tcp, 445/tcp};
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NETBIOSSSN,NetBIOSports);
}
event netbios_session_message(c: connection, is_orig: bool, msg_type:count, data_len: count) &priority=5
{
print “netbios_session_message”;
}
…
But Bro gives me this error:
Internal error: unknown analyzer name NETBIOS; mismatch with tag analyzer::Component?
I’m using Bro in the wrong way?