[Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols?

Hui Lin (Hugo) hlin33 at illinois.edu
Tue May 20 06:22:35 PDT 2014


Perhaps this document may help, in case that you did not see it.

http://www.bro.org/development/howtos/dpd.html#determining-analyzer-activation

Best,

Hugo


On Tue, May 20, 2014 at 12:42 AM, (peter) <45070198 at qq.com> wrote:

>
>  Seth,
>
> > > In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro,
> there are some codes as following:
> >
> > Take a look at socks/dpd.sig.  Those are the signatures that are running
> and attempting to identify off-port SOCKS connections.
>
> Yes, I had saw it, and I thought it would work like that. But, the bro
> only could detect and generate the socks.log when the socks server used
> port 1080/tcp, not other ports.
>
>  How could I configure it for detecting socks, which use other port?
>
>  Best,
> peter
>
>
>


-- 
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/3cd7d0da/attachment.html 


More information about the Bro mailing list