[Bro] DPD not getting expected results

Eric Thomas edthoma at sandia.gov
Mon Jan 12 13:39:14 PST 2009

I'm running bro in offline mode (-r) trying to get various aspects of DPD 
to work. I needed a good trace to test, so I configured system B's SSH to 
run on ports 22, 23, and 80. Then I got a packet trace (tcpdump -w) while 
SSH'ing from system A to those three ports on system B.

I ran bro on the trace with the following policy files (in this order):

notice conn dpd irc-bot dyn-disable detect-protocols detect-protocols-http 
proxy http-request http-reply ssh zzz-custom

zzz-custom is my custom policy file for redefs. In that file I redef'd 
dpd_conn_logs to T and ensured an all-inclusive capture_filter.

The results are not what I was hoping for. I expected, because I enabled 
dpd_conn_logs, that SSH would be properly detected and the conn log would 
indicate that. Instead, there is a ? appended after the name of the port, 
which indicates the protocol wasn't parsed. I expected to see 
ProtocolViolation messages in the notice log because of the non-http 
protocol on port 80 (this is a feature of dyn-disable). And I expected to 
see ProtocolFound and ServerFound notices because of the SSH protocol on a 
non-standard port (according to the wiki, that code is in 
detect-protocols.bro). None of the three things I expected to happen 

My notice log is completely empty. And the conn log has the three 
connections I expected (albiet with the missing detected protocol). I'm 
running bro 1.4. Any ideas on what I'm doing wrong here?

Eric T
edthoma at sandia.gov

More information about the Bro mailing list