[Bro] Application Layer Classification

Jean-Philippe Luiggi jp.luiggi at free.fr
Mon Jan 15 08:25:33 PST 2007

Hello Christian,

As far i know, Bro's able to catch this problem but you need to use the
"DPD.bro" module.

>From brolite.bro :

## Dynamic Protocol Detection configuration
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
# const use_dpd = T;

@ifdef ( use_dpd )
       @load dpd
       	     @load irc-bot

Just uncomment  "const use_dpd = T;" and you'll get it (it works as is at

Best regards.

On Mon, Jan 15, 2007 at 03:59:02PM +0100, Christian Novello wrote:
> Dear all,
> here at Turin Polytechnic (Italy) we're working with Bro 1.2.1 and we're
> having some trouble in classifying packets that do not use a standard port.
> Unfortunately, a large part of our traffic does not belong to standard ports
> and therefore the validity of results we get from Bro are rather limited.
> Is there any way to let Bro recognize any HTTP session (for example) even if
> it does not have port 80 or 8080 or such? And... is it possible to
> generalize this behavior on any protocol?
> (Obviously, we can also modify the code; we should be extremely grateful if
> we can provide us some hints, just to start).
> Cheers,
>    Christian

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list