IGMP analyzer

Zeek
1

I am just wondering whether the IGMP analyzer is available in the new version of bro 1.3.2???

2

I am just wondering whether the IGMP analyzer is available in the new
version of bro 1.3.2???

What IGMP analyzer are you referring to?

    Vern

3

I am having trace file containg an attack related to bid 514.

DOS IGMP dos attack sid 1:273:8 bid 514;"

snort is showing up but the converted snort2bro rule
signature s2b-273-8 {
header ip[9:1] == 2
event “DOS IGMP dos attack sid 1:273:8 bid 514;”
header ip[6:1] & 224 == 32
}

is not throwing any alerts.

Thats the reason why I asked

Thanks,
UC

4

I am having trace file containg an attack related to bid 514.

Can you send it?

snort is showing up but the converted snort2bro rule
signature s2b-273-8 {
  header ip[9:1] == 2
  event "DOS IGMP dos attack sid 1:273:8 bid 514;"
  header ip[6:1] & 224 == 32
}

Note, we don't term this an IGMP *analyzer*, just an imported Snort rule.
We don't support such rules other than in terms of fixing problems they
exhibit that are due to Bro's underlying signature-matcher. (That is, we
don't vouch for the Snort rules, nor try to clean them up, nor support the
snort2bro translation utility.)

    Vern