[Bro] HTTP Question

Jean-Philippe Luiggi jp.luiggi at free.fr
Fri Nov 9 12:39:27 PST 2007

Diogo Corteletti de Oliveira a écrit :
> Yeah! You are right there's also "detect-protocols-http.bro"
>> Hello Diogo,
>> I think so if you use DPD (dynamic protocol detection).
>> Please note there's already a file "detect-protocols.bro" which
>> is able to find connections with protocols on non-standard ports.
>> Best regards,
>> Jean-philippe

Hello Diego,

Yes, that's right, this one loads "detect-protocols.bro"
In fact, i think specifying the use of "dpd" in "brolite.bro" will give 
all the things you want :

from brolite.bro :
## Dynamic Protocol Detection configuration
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
const use_dpd = T;

@ifdef ( use_dpd )
        @load dpd
        @load irc-bot
        @load dyn-disable
        @load detect-protocols
        @load detect-protocols-http
        @load proxy
        @load ssh

        # By default, DPD looks at all traffic except port 80.
        # For lightly loaded networks, comment out the restrict_filters 
        # For heavily loaded networks, try adding addition ports (e.g., 
25) to
        #   the restrict filters.
        redef capture_filters += [ ["tcp"] = "tcp" ];
        redef restrict_filters += [ ["not-http"] = "not (port 80)" ];

Best regards,


More information about the Bro mailing list