[Bro] Protocol Analyzer

Ben Mixon-Baca bmixonb1 at cs.unm.edu
Thu Sep 22 07:49:32 PDT 2016

Thanks, Johanna! That gives me a place to start.

On 09/21/2016 11:11 PM, Johanna Amann wrote:
> Hello Ben,
> the easiest way to accomplish this is probably to look into the c$service
> field - if it is empty, no analyzer has flagged that it can succesfully
> parse the protocol yet.
> This is, however, not perfect - c$service is populated by the
> protocol_confirmation/violation. Thus, it will only be set after a parser
> accepts that a connection actually "speaks" a protocol; so you will
> probably get the first few pacjets for every connection - see
> base/frameworks/dpd/main.bro for more details.
> Apart from that, you can also check Analyzer::registered_ports for ports
> where Bro always tries to attach a specific analyzer.
> I hope this helps,
>  Johanna
> On Wed, Sep 21, 2016 at 04:29:05PM -0600, Ben Mixon-Baca wrote:
>> Hi,
>> I am doing low level packet inspection using the tcp_packet event. I am
>> wondering if there is a way to inspect only the tcp payload if it
>> doesn't parse to any well-known tcp based application. For example, if
>> an application uses 20394/tcp for TLS, I would not want to see this
>> payload. However, if the application using 20394/tcp has a payload that
>> doesn't parse to anything Bro speaks, I would like to be able to inspect
>> this tcp payload.
>> Thanks in advance!
>> -- 
>> Ben
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/53e12673/attachment.bin 

More information about the Bro mailing list