[Bro] Bro and unusual http ports

Castle, Shane scastle at bouldercounty.org
Fri Nov 16 15:40:44 PST 2012

I have a device inside that communicates using a weird http port (3000/tcp). I have verified that it is not malicious but it annoys me, and I'd like to be able to track what it does using Bro. Unfortunately, Bro is not recognizing its traffic as http. I've tried adding the port to likely_server_ports but to no avail. The port definitions in the base http scripts are not redef-able, and I seem to have hit my limit in tweaking Bro to make it decode this traffic.

What am I missing? 

BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.

Shane Castle
Data Security Mgr, Boulder County IT

More information about the Bro mailing list