Hi all,
I made a pull request a while ago to add/update messages for the SMB
analyzer and I did not get no feedback. Is there something wrong with
it? I'd be happy to modify it to fit your requirements if necessary.
You can find it here : https://github.com/bro/bro/pull/119.
Regards,
> I call "TCP server banner" the first chunk of data a server sends,
> before the client has sent data (if the client sends data before the
> server, I don't want to log anything).
A solution could be to blacklist such connections, i-e if there is data
sent by the client, then do not log:
>
> Another thing that comes to me is what if you miss the SYN or the
> SYN-ACK segment sent by your client?
I meant SYN or ACK (third one in the handshake) segment sent by the
client. Sorry.
Regards,
___
bro-dev mailing list
bro-dev@bro.org
http://mai
Hi all,
As I looked into SMBv1 analyzer, I found that most of the files
describing SMB messages have code duplication. According to the SMB
specification ([MS-CIFS]), SMB messages are composed of a fixed-length
header (defined as SMB_Header in smb1-protocol.pac for Bro) and then of
two "blocks" :