<div dir="ltr">hi miguel,<br><br>If u are using hostname.bro which may load brolite.bro(it will load http.bro), and http_ports is defined in http.bro as well, you may find the following lines -<br><br># DPM configuration.<br>
# global http_ports = {<br># 80/tcp, 81/tcp, 631/tcp, 3138/tcp,<br># 8000/tcp, 8080/tcp, 8888/tcp,<br># } &redef;<br><br>I comment them out, instead in snort.bro I comment out one line and add the similar config in http.bro<br>
<br>#const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };<br>global http_ports = {<br> 80/tcp, 81/tcp, 631/tcp, 3128/tcp,<br> 8000/tcp, 8080/tcp, 8888/tcp,<br>} &redef; <br><br>Then try to run it again and see if it works. <br>
<br>Cheers<br><br><br><div class="gmail_quote">On Tue, Aug 5, 2008 at 3:00 AM, <span dir="ltr"><<a href="mailto:bro-request@icsi.berkeley.edu">bro-request@icsi.berkeley.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Send Bro mailing list submissions to<br>
<a href="mailto:bro@ICSI.Berkeley.EDU">bro@ICSI.Berkeley.EDU</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:bro-request@ICSI.Berkeley.EDU">bro-request@ICSI.Berkeley.EDU</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:bro-owner@ICSI.Berkeley.EDU">bro-owner@ICSI.Berkeley.EDU</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Bro digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. signarture dst-port issue (Miguel Angel Calvo Moya)<br>
2. Re: signarture dst-port issue (Robin Sommer)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 4 Aug 2008 10:33:18 +0200<br>
From: Miguel Angel Calvo Moya <<a href="mailto:mangel12321@hotmail.com">mangel12321@hotmail.com</a>><br>
Subject: [Bro] signarture dst-port issue<br>
To: <<a href="mailto:bro@ICSI.Berkeley.EDU">bro@ICSI.Berkeley.EDU</a>><br>
Message-ID: <BLU130-W798FDC80C818195E29E43F0780@phx.gbl><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
<br>
Hello,<br>
<br>
I am having trouble using signatures on bro. Lets say we have the following signature<br>
<br>
signature s2b-99999-9 {<br>
ip-proto == tcp<br>
#dst-port == 80<br>
#dst-port == http_ports<br>
tcp-state established<br>
event "Sample Signature"<br>
}<br>
<br>
when I using "dst-port == 80" everything goes seems to work. By 'work' I mean that bro generates plenty of warnings placing them on signatures.log, however, if we replace "st-port == 80" for "dst-port == http_ports" and throw it again against the same trace, we no longer get any warnings.<br>
<br>
http_ports is declared on $BROPATH/policy/snort.bro as:<br>
const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };<br>
<br>
I assume snort..bro is loaded correctly since otherwise throws non-declaration errors. It is loaded it on my hostname.bro file which I use when running bro.<br>
<br>
Also, does anybody know whether next release will implement other regular expression matching library? I am trying to update snort2bro to support the snort pcre, however it is not a trivial task.<br>
<br>
Any suggestions?<br>
Thank you!<br>
Miguel<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 4 Aug 2008 10:52:46 -0700<br>
From: Robin Sommer <<a href="mailto:robin@icir.org">robin@icir.org</a>><br>
Subject: Re: [Bro] signarture dst-port issue<br>
To: <a href="mailto:bro@ICSI.Berkeley.EDU">bro@ICSI.Berkeley.EDU</a>, Miguel Angel Calvo Moya<br>
<<a href="mailto:mangel12321@hotmail.com">mangel12321@hotmail.com</a>><br>
Message-ID: <<a href="mailto:20080804175246.GA51343@icir.org">20080804175246.GA51343@icir.org</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
<br>
On Mon, Aug 04, 2008 at 10:33 +0200, Miguel Angel Calvo Moya wrote:<br>
<br>
> I am having trouble using signatures on bro. Lets say we have the following signature<br>
<br>
Can you send me a small trace with which you see the problem and the<br>
exect command line you're using to start Bro?<br>
<br>
> Also, does anybody know whether next release will implement other<br>
> regular expression matching library?<br>
<br>
No, we don't have any plans to switch to another regexp library.<br>
<br>
> I am trying to update snort2bro to support the snort pcre, however<br>
> it is not a trivial task.<br>
<br>
Cool! but yeah, not exactly trivial. :)<br>
<br>
Robin<br>
<br>
--<br>
Robin Sommer * Phone +1 (510) 666-2886 * <a href="mailto:robin@icir.org">robin@icir.org</a><br>
ICSI/LBNL * Fax +1 (510) 666-2956 * <a href="http://www.icir.org" target="_blank">www.icir.org</a><br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Bro mailing list<br>
<a href="mailto:Bro@ICSI.Berkeley.EDU">Bro@ICSI.Berkeley.EDU</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br>
<br>
<br>
End of Bro Digest, Vol 28, Issue 2<br>
**********************************<br>
</blockquote></div><br><br clear="all"><br>-- <br>Best Regards,<br><br>CS Lee<geek00L[at]<a href="http://gmail.com">gmail.com</a>><br><br><a href="http://geek00l.blogspot.com">http://geek00l.blogspot.com</a><br>
</div>