[Bro] dpd unknown port

Siwek, Jon jsiwek at illinois.edu
Mon Jul 21 10:39:40 PDT 2014

On Jul 21, 2014, at 11:25 AM, Juan Caballero <juan.caballero at imdea.org> wrote:

>> It sounds like you want to write a signature [1] with a particular
> "payload" content condition 
> In my case I simply want to use protocols such as HTTP for which Bro already
> has a DPD signature, so no need to create a new one
>> and an "enable" action to active a particular protocol analyzer.
> This is the step I do not know how to do. The only "enable" function I see
> is "Analyzer::enable_analyzer(Analyzer::ANALYZER_HTTP)"
> However when I use that function it does not seem to enable the DPD
> signature for all ports, i.e., an HTTP connection on port 7623/tcp does not
> get analyzed unless I use Analyzer::register_for_ports to add port 7623/tcp
> Any suggestions for this step?

There’s two main ways to tell a protocol analyzer what connections it needs to parse:

(1) well-known ports (i.e. "Analyzer::register_for_ports()”)
(2) signatures (i.e. the documentation I linked to before)

Those two are unrelated — the ports given to "Analyzer::register_for_ports()” will cause the analyzer to be activated on connections that use those ports regardless of whether any signatures match.  And conversely, signature matches that enable an analyzer won’t be restricted by what well-known ports are registered.

The two are also specified in different grammars: you’re already familiar with the scripting language that can be used for registering well-known ports.  There’s a different signature language that’s described by that documentation I linked, and you can also see some examples by looking at “dpd.sig" files shipped in Bro.  The “enable” action I referred to before is part of the signature language, not the scripting language.

For the particular example you’re giving, it may be worthwhile to figure out why the default HTTP signature (base/protocols/http/dpd.sig) is not matching and maybe write one that will (if you’re desperate, do a signature to match every connection).

- Jon

More information about the Bro mailing list