Hi everyone,
I use signature framework in Bro. I want Bro to capture and processes only the first N-bytes of each packet received. In other words, only the first N-bytes will be compared with the signature.
How to do that?
Aidaros
Hi,
There's a variable you can redefine for this, snaplen[1]. The module
that this variable is in changed from 2.4.1 to the current git master.
If you're on 2.4.1 or older, use "snaplen" otherwise use
"Pcap::snaplen". If running Bro in standalone mode, you can do something
like:
bro -i eth0 Pcap::snaplen=1024
Otherwise, you can add this to site/local.bro:
redef Pcap::snaplen=1024;
One thing to note is that this only applies to capturing from live
interfaces, and not reading from PCAPs.
--Vlad
[1] - <https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#id-snaplen>
Hashem Alaidaros <aidaros.dev@gmail.com> writes: