[Bro] DPD and similar analysis

Eric Thomas edthoma at sandia.gov
Mon Dec 1 12:06:27 PST 2008


I have a project to do DPD-like offline analysis and was looking for help 
and feedback. First off, I'm trying to make sure that DPD is working, so 
I tried to get bro to write ServerFound messages to the notice log. BTW, 
in all my tests I made sure my capture filter included "or (tcp or udp 
or icmp)". To get bro to report ALL servers found, I temporarily 
modified detect-protocols.bro and commented out the two sections that 
would prevent generating notices for "well known ports" (using 
dpd_config). So I would expect to see ServerFound messages for all 
protocols that have been detected. Here is my command line (zzz-custom 
just redefines capture_filters as stated above):

bro -r pcapfile.pcap conn dpd irc-bot dyn-disable detect-protocols 
detect-protocols-http proxy http ssh zzz-custom

When I run this against the pcap file that contains tons of HTTP, SSH and 
likely other traffic, the only ServerFound messages are for SSH. If I was 
getting DPD to work correctly, I would expect to find HTTP ServerFound 
messages. I'm looking to get bro to output all ProtocolFound and 
ServerFound messages, so any help to get that to happen would be 
appreciated.

Once I figure this out, then I'll use DPD for it's intended purpose: to 
detect protocols on non-standard ports. However, I'm also supposed to do 
the inverse, that is, detect non-standard protocols on standard ports. Any 
thoughts on how I could do this?

Thanks,

Eric T
Sandia National Labs




More information about the Bro mailing list