[Bro] How to get anything into c$service

Robin Sommer robin at icir.org
Sun Sep 23 23:17:13 PDT 2007


On Sun, Sep 23, 2007 at 22:51 -0700, Christian Kreibich wrote:

>   @load conn
[...]
> then I no longer seem to get connection_finished events(!), despite

Does loading tcp.bro instead of conn.bro help?

>   @load conn
>   @load dpd
>   redef dpd_conn_logs = T;
> 
> all is well: I get both connection_finished and connection_state_remove,
> and both carry HTTP in c$service (since in that case the capture filter
> ends up being "tcp or udp or icmp"). 

My last reply actually simplified things a bit, sorry. For services
added via the DPD mechanism (i.e., verifying the presence of the
protocol by having the analyzer parse it), this is what is needed:

- the (core) analyzer needs to see the packets. That's the case with
Bro's fall-back default "tcp or udp or icmp" but not anymore once
you load any script which modifies the default (e.g., tcp.bro). If
so, you either need to set the filter manually or load the
corresponding analyzer script which then makes sure the packets are
included. That's actually why I refered to http-request.bro 

- you need to load conn.bro (which almost always gets pulled in by
some other script anyway). conn.bro has the handler for the
protocol_confirmation() event, which adds the entry to the service
field once an analyzer believes it's indeed its protocol.

For other services (i.e., non-DPD) the corresponding script sets the
services. E.g., ftp.bro adds an entry "ftp-data" to services for
data sessions. 

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list