[Bro] Bro DPD (Beginner)

zubair rafique m_zubair_rafique at yahoo.com
Fri Apr 13 08:48:54 PDT 2012

Thanks for the quick reply. One more question. How to detect/extract HTTP request in TCP payload (where TCP connection is established on the non-standard port).

 From: Seth Hall <seth at icir.org>
To: zubair rafique <m_zubair_rafique at yahoo.com> 
Cc: "bro at bro-ids.org" <bro at bro-ids.org> 
Sent: Friday, April 13, 2012 5:39 PM
Subject: Re: [Bro] Bro DPD (Beginner)

On Apr 13, 2012, at 11:13 AM, zubair rafique wrote:

> I am using the following command line option:
>  sudo /usr/local/bro/bin/bro -f tcp  -r mytrace.pcap   /usr/local/bro/share/bro/base/frameworks/dpd/main.bro
> There is no dpd log file generated by bro.
> What I am missing here?.

Do you have a conn.log or http.log?  conn.log will indicate which analyzer(s) successfully analyzed a connection and http.log will show the information from the log.  dpd.log is mostly used for debugging when and why DPD failed.  No failure, no log (failure includes the client or server not abiding the protocol).

You also don't need to include "-f tcp" in your filter.  Bro has a wide open filter which lets everything in by default now.  You also don't need to load that script.  You could condense your entire command line to "bro -r mytrace.pcap"


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120413/76f98c04/attachment.html 

More information about the Bro mailing list