[Bro] Protocol Analyzer

Johanna Amann johanna at icir.org
Wed Sep 21 22:11:32 PDT 2016

Hello Ben,

the easiest way to accomplish this is probably to look into the c$service
field - if it is empty, no analyzer has flagged that it can succesfully
parse the protocol yet.

This is, however, not perfect - c$service is populated by the
protocol_confirmation/violation. Thus, it will only be set after a parser
accepts that a connection actually "speaks" a protocol; so you will
probably get the first few pacjets for every connection - see
base/frameworks/dpd/main.bro for more details.

Apart from that, you can also check Analyzer::registered_ports for ports
where Bro always tries to attach a specific analyzer.

I hope this helps,

On Wed, Sep 21, 2016 at 04:29:05PM -0600, Ben Mixon-Baca wrote:
> Hi,
> I am doing low level packet inspection using the tcp_packet event. I am
> wondering if there is a way to inspect only the tcp payload if it
> doesn't parse to any well-known tcp based application. For example, if
> an application uses 20394/tcp for TLS, I would not want to see this
> payload. However, if the application using 20394/tcp has a payload that
> doesn't parse to anything Bro speaks, I would like to be able to inspect
> this tcp payload.
> Thanks in advance!
> -- 
> Ben

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list