[Bro] DPD and similar analysis
Eric Thomas
edthoma at sandia.gov
Mon Dec 1 12:06:27 PST 2008
I have a project to do DPD-like offline analysis and was looking for help
and feedback. First off, I'm trying to make sure that DPD is working, so
I tried to get bro to write ServerFound messages to the notice log. BTW,
in all my tests I made sure my capture filter included "or (tcp or udp
or icmp)". To get bro to report ALL servers found, I temporarily
modified detect-protocols.bro and commented out the two sections that
would prevent generating notices for "well known ports" (using
dpd_config). So I would expect to see ServerFound messages for all
protocols that have been detected. Here is my command line (zzz-custom
just redefines capture_filters as stated above):
bro -r pcapfile.pcap conn dpd irc-bot dyn-disable detect-protocols
detect-protocols-http proxy http ssh zzz-custom
When I run this against the pcap file that contains tons of HTTP, SSH and
likely other traffic, the only ServerFound messages are for SSH. If I was
getting DPD to work correctly, I would expect to find HTTP ServerFound
messages. I'm looking to get bro to output all ProtocolFound and
ServerFound messages, so any help to get that to happen would be
appreciated.
Once I figure this out, then I'll use DPD for it's intended purpose: to
detect protocols on non-standard ports. However, I'm also supposed to do
the inverse, that is, detect non-standard protocols on standard ports. Any
thoughts on how I could do this?
Thanks,
Eric T
Sandia National Labs
More information about the Bro
mailing list