[Bro] Application Layer Classification
jp.luiggi at free.fr
Mon Jan 15 08:25:33 PST 2007
As far i know, Bro's able to catch this problem but you need to use the
>From brolite.bro :
## Dynamic Protocol Detection configuration
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
# const use_dpd = T;
@ifdef ( use_dpd )
Just uncomment "const use_dpd = T;" and you'll get it (it works as is at
On Mon, Jan 15, 2007 at 03:59:02PM +0100, Christian Novello wrote:
> Dear all,
> here at Turin Polytechnic (Italy) we're working with Bro 1.2.1 and we're
> having some trouble in classifying packets that do not use a standard port.
> Unfortunately, a large part of our traffic does not belong to standard ports
> and therefore the validity of results we get from Bro are rather limited.
> Is there any way to let Bro recognize any HTTP session (for example) even if
> it does not have port 80 or 8080 or such? And... is it possible to
> generalize this behavior on any protocol?
> (Obviously, we can also modify the code; we should be extremely grateful if
> we can provide us some hints, just to start).
> Bro mailing list
> bro at bro-ids.org
More information about the Bro