[Bro] How to do with Bro 2.1

Seth Hall seth at icir.org
Fri Oct 5 18:41:47 PDT 2012

On Oct 5, 2012, at 5:11 PM, keqhe at cs.wisc.edu wrote:

> Bro 2.1 employs DPD to do application layer protocol classification. That
> is, it looks at the first few packet's payload to determine its service
> type.

Here's the paper that describes it in more detail if this helps:

> However, I notice that a large number of flows go through port 80 are
> considered as TCP not HTTP. We just want Bro to do application layer
> protocol classification based on port. What should I do?

I think you're going to have to describe more about what you are actually seeing that you think is incorrect.  TCP and HTTP are different classes of protocol anyway since TCP is transport and HTTP is application.  Bro should be identifying supported protocols on any port and attaching an appropriate analyzer if one exists.  


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list