-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't trigger events in Bro_RPC.events.bif.bro #684
Comments
The RPC-based protocol analyzers (portmapper, nfs, mount) aren't enabled by default as mentioned in the docs for the events. You could enable, for example, the portmapper analyzer in a script like this (or use const pm_ports = { 111/udp };
redef likely_server_ports += { pm_ports };
event zeek_init()
{
Analyzer::register_for_ports(Analyzer::ANALYZER_PORTMAPPER, pm_ports);
} Others would need different port definitions to enable. But also looking at some of the pcaps you referenced and trying that, it seems like the RPC parser/analyzer is just not working correctly (at a glance the parsing logic in |
Thank you for your suggestions! I tried the built-in analyzer called ANALYZER_CONTENTS_RPC and part of the code: const pm_ports = { 111/udp };
redef likely_server_ports += {pm_ports};
event zeek_init(){
# enable RPC-based protocol analyzers
Analyzer::register_for_ports(Analyzer::ANALYZER_PORTMAPPER, pm_ports);
Analyzer::enable_analyzer(Analyzer::ANALYZER_PORTMAPPER);
# Analyzer::register_for_ports(Analyzer::ANALYZER_CONTENTS_RPC, pm_ports);
Analyzer::enable_analyzer(Analyzer::ANALYZER_CONTENTS_RPC);
}
event rpc_call(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count){
print "rpc_call!";
}
event rpc_reply(c: connection, xid: count, status: rpc_status, reply_len: count){
print "rpc_reply!";
} After executing the script, only the rpc_reply event was triggered. |
I saw these statements under RPC-based events' doc. Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature. Does adding a DPD payload work? If so, how can I add a DPD payload signature? I have loaded the scripts in path /share/zeek/policy/frameworks/dpd/. |
The parsing logic that should be specific to the AUTH_UNIX credential flavor was previously applied unconditionally to other flavors.
|
Thanks! |
The parsing logic that should be specific to the AUTH_UNIX credential flavor was previously applied unconditionally to other flavors. (cherry picked from commit 37a478a)
Dear developers.
I am very sorry to disturb you. I use the old version of Zeek(Bro 2.x). And I use bro to analyze the data set LLDoS1.0(phase-2-dump), in which there are many RPC calls. But none of the events related to RPC are triggered.
Such as this:
event rpc_call(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count){ print "rpc_call!"; }
Are all of these RPC events implemented? Or there is something wrong with the codes? Thank you very much!
The text was updated successfully, but these errors were encountered: