Hi,

I have a trickier question than last time. I am inputting into Bro partial tcpdump traces (by using the -s option in tcpdump - I am now getting only the first 100 bytes of a packet instead of the full packet). The problem though is that in Bro it seems to discard the entire payload. Is there any way to force Bro to keep the payload? This is a problem as since it is discarding the payload any signature that does a payload match does not work anymore. For a tcpdump trace that has the entire payload this does not occur as it keeps the payload then and finds the proper signature.

As an example, in the following snippet of code, the event only prints the payload when a full tcpdump trace is given.

http://osdir.com/ml/security.detection.bro/2004-07/msg00013.html

@load site
@load snort
@load weird
@load alarm

redef signature_files += “sigs/test.sig”;

event signature_match(state: signature_state, msg: string, data: string)
{

Note: data is the payload. Example: print fmt("%s", data);

print fmt(“Print payload:\n%s”, data);
}

Any suggestions?
Thanks.

Daniel.

I have a trickier question than last time. I am inputting into Bro partial
tcpdump traces (by using the -s option in tcpdump - I am now getting only
the first 100 bytes of a packet instead of the full packet).

You can force more analysis by running with bro -C to disable checksum
validation. However, you'll only get very limited analysis out of the
system, since it's designed to operate on full payloads.

    Vern