[Bro] Bro Alarms
Diogo Corteletti de Oliveira
diogo_c at brturbo.com.br
Mon Nov 12 10:02:02 PST 2007
One more question. After enabling the DPD and
filtering it to only consider events on port 80 I am getting a lot of
alarms for Google connections like the one bellow:
t=1194889271.174088 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS
sa=x.x.x.x sp=4421/tcp da=126.96.36.199 dp=80/tcp msg=x.x.x.x/4421\ >\
188.8.131.52/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\
violation sub=not\ a\ http\ reply\ line tag=@877
I am assuming that this is an alert that could
inform that someone is using a different protocol (not-http) on port 80.
My objective (as stated in a previous e-mail) is to detect such a thing.
The strange thing is that I tried to do this before with SourceFire's
RNA and it alerted with google connections also. Could this mean that
Google does not follow the HTTP RFC? Any suggestions?
More information about the Bro