Hello,
I am working on a sniffer based on bro (for educational purpose) and I am facing problems with the RPC Analyzer configuration.
In fact it is not activated by default on Bro:
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates thisevent; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
with regard to this Todo section in the Bro::RPC analyzer, i tried to register a port for rpc and nfs with the following script:
const ports = {111/tcp, 111/udp, 747/udp, 759/tcp, 762/udp, 764/tcp, 2049/udp};
redef likely_server_ports += {ports};
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, ports);
}
event nfs_proc_getattr(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t){
print “hi”;
}
but I have got this error:
944207397.280000 internal error: unknown analyzer name RPC; mismatch with tag analyzer::Component?
Please could you help me with any hint to undrestand what I am supposed to do.
Thank you in advance.
Best Regards,
Zakaria
ᐧ