I am just wondering whether the IGMP analyzer is available in the new version of bro 1.3.2???
I am just wondering whether the IGMP analyzer is available in the new
version of bro 1.3.2???
What IGMP analyzer are you referring to?
Vern
I am having trace file containg an attack related to bid 514.
DOS IGMP dos attack sid 1:273:8 bid 514;"
snort is showing up but the converted snort2bro rule
signature s2b-273-8 {
header ip[9:1] == 2
event “DOS IGMP dos attack sid 1:273:8 bid 514;”
header ip[6:1] & 224 == 32
}
is not throwing any alerts.
Thats the reason why I asked
Thanks,
UC
I am having trace file containg an attack related to bid 514.
Can you send it?
snort is showing up but the converted snort2bro rule
signature s2b-273-8 {
header ip[9:1] == 2
event "DOS IGMP dos attack sid 1:273:8 bid 514;"
header ip[6:1] & 224 == 32
}
Note, we don't term this an IGMP *analyzer*, just an imported Snort rule.
We don't support such rules other than in terms of fixing problems they
exhibit that are due to Bro's underlying signature-matcher. (That is, we
don't vouch for the Snort rules, nor try to clean them up, nor support the
snort2bro translation utility.)
Vern