[Bro] How to do with Bro 2.1

Mike Sconzo sconzo at visiblerisk.com
Wed Oct 10 18:19:22 PDT 2012


Thanks. You're correct, what I want to happen appears to be happening.

Is it a horrible idea to change the signatures? I was curious about
adding more client verbs in HTTP to detect webdav, and or adding an
additional http client sig that operates on UDP mostly for upnp
detection.

On Wed, Oct 10, 2012 at 7:55 PM, Seth Hall <seth at icir.org> wrote:
>
> On Oct 10, 2012, at 6:55 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
>
>> For example, http://www.bro-ids.org/documentation/scripts/base/protocols/http/file-extract.html
>> adds ports to the DPD config. Does this mean that Bro only uses DPD on
>> traffic over those ports added to the ports list?
>
> No, DPD has two operating heuristics.  One heuristic which has been the focus of this thread is the port.  The other heuristic is the signatures which current reside here:
>
> http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/base/frameworks/dpd/dpd.sig
>
> Analyzers will be attached to connections with the dpd_config variable and by signatures (multiple analyzers can simultaneously receive the data).  Typically if more than one analyzer are instantiated for a connection, one of them will fail and be removed from the connection.
>
> Does that clarify things more?  I think that what you want to happen is in fact what's happening.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>



-- 
cat ~/.bash_history > documentation.txt




More information about the Bro mailing list