[Bro] DPD and similar analysis

Eric Thomas edthoma at sandia.gov
Mon Dec 1 12:06:27 PST 2008

I have a project to do DPD-like offline analysis and was looking for help 
and feedback. First off, I'm trying to make sure that DPD is working, so 
I tried to get bro to write ServerFound messages to the notice log. BTW, 
in all my tests I made sure my capture filter included "or (tcp or udp 
or icmp)". To get bro to report ALL servers found, I temporarily 
modified detect-protocols.bro and commented out the two sections that 
would prevent generating notices for "well known ports" (using 
dpd_config). So I would expect to see ServerFound messages for all 
protocols that have been detected. Here is my command line (zzz-custom 
just redefines capture_filters as stated above):

bro -r pcapfile.pcap conn dpd irc-bot dyn-disable detect-protocols 
detect-protocols-http proxy http ssh zzz-custom

When I run this against the pcap file that contains tons of HTTP, SSH and 
likely other traffic, the only ServerFound messages are for SSH. If I was 
getting DPD to work correctly, I would expect to find HTTP ServerFound 
messages. I'm looking to get bro to output all ProtocolFound and 
ServerFound messages, so any help to get that to happen would be 

Once I figure this out, then I'll use DPD for it's intended purpose: to 
detect protocols on non-standard ports. However, I'm also supposed to do 
the inverse, that is, detect non-standard protocols on standard ports. Any 
thoughts on how I could do this?


Eric T
Sandia National Labs

More information about the Bro mailing list