[Bro] Dealing with tcp-based Unknown Protocols

Shuai Hao haoscs at gmail.com
Sun Dec 10 22:45:02 PST 2017

Hi All,

I wonder that does anyone have experience to tackle the "unknown protocol"
when DPD cannot recognize the protocol and/or all existing analyzers fail.

At this time we assume that all protocols are tcp-based. According to one
of previous discussions,
we first attempt to create a signature which matches everything. Such
signature will eventually capture ALL connections even when there is
available analyzer can process the stream (e.g., HTTP). However, we want
the analyzer for unknown protocol only be triggered when no existing
analyzer can be used.

(1) One possible way we are considering is that if there is a mechanism can
control the process of analyzers. For example, when one of analyzers is
successful, it sends a signal to the Unknown-Protocol-Analyzer to terminate

(2) Another way is that we set a global variable which captures and
indicates the failed/successful analyzers after the DPD; then if all
analyzers fail, the Unknown-Protocol-Analyzer is triggered.

In addition, according to this message
Robin mentioned the method DPM::BuildInitialAnalyzerTree() in DPM.{h, cc}
(Manage::BuildInitialAnalyzerTree() in current distribution). With the
source code,
it seems that we can initiate an analyzer here when seeing a connection
which is non-TCP, non-UDP, and non-ICMP. However, if we assume all
TCP-based protocols, where we should look at if we have to touch the source

We haven't investigated the PIA implementation; is this part related and
worth to explore?

As such, anyone have ideas how to deal with such a case? Thanks for any
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171211/7a7a77b2/attachment.html 

More information about the Bro mailing list