[Bro] Problems adding http ports to bro (git version)

C. L. Martinez carlopmart at gmail.com
Tue Aug 13 04:24:58 PDT 2013


Uhmm ... well, I don't know if bro can detect http requests on
non-standard ports. I have not yet been able to start it :)).

I will try it and if these http ports are not detected and I will open
a new thread ....

Many thanks Vlad.


On Tue, Aug 13, 2013 at 11:18 AM, Vlad Grigorescu <vladg at cmu.edu> wrote:
> Let's back up a bit. Bro uses signatures to detect protocols on non-standard ports, and it should also be able to identify the server and the client.
>
> Out of the box, Bro should be able to automatically detect HTTP on all ports for you. If that's not working, that means that there's a problem with either how you're running Bro, or that there's a bug in Bro.
>
> How are you running Bro? What does the conn.log line look like for an HTTP connection on a non-standard port that Bro failed to detect? Do you have a PCAP of such traffic that you could share (anonymized is fine)?
>
> Having said all that, to answer your original question: The way you specify these ports for DPD changed in 2.2. If you take a look at base/protocols/http/main.bro:
>
>  126 const ports = {
>  127         80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
>  128         8000/tcp, 8080/tcp, 8888/tcp,
>  129 };
>  130 redef likely_server_ports += { ports };
>  131
>  132 # Initialize the HTTP logging stream and ports.
>  133 event bro_init() &priority=5
>  134         {
>  135         Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
>  136         Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
>  137         }
>
>    --Vlad
>
> On Aug 13, 2013, at 6:47 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
>
>> Nop, same result.
>>
>> On Tue, Aug 13, 2013 at 10:37 AM, Scott Runnels <srunnels at gmail.com> wrote:
>>> Do you get a different result if you remove the trailing comma from
>>> "51010/tcp,};" in the ports constant?
>>>
>>>
>>> On Tue, Aug 13, 2013 at 5:55 AM, C. L. Martinez <carlopmart at gmail.com>
>>> wrote:
>>>>
>>>> redef dpd_config += {
>>>>        [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
>>>> };
>>>
>>>
>>>
>>>
>>> Scott Runnels
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



More information about the Bro mailing list