[Bro] dpd unknown port

Siwek, Jon jsiwek at illinois.edu
Mon Jul 21 07:54:27 PDT 2014

On Jul 21, 2014, at 8:26 AM, Juan Caballero <juan.caballero at imdea.org> wrote:

> If I have a DPD signature for
> the protocol (e.g., for HTTP) what is the easiest way to tell Bro to use the
> signature on any connection regardless of port? Can this be done on the
> scripting layer?

It sounds like you want to write a signature [1] with a particular “payload” content condition and an “enable” action to active a particular protocol analyzer.

- Jon

[1] http://www.bro.org/sphinx/frameworks/signatures.html

More information about the Bro mailing list