[Bro-Dev] Hui Lin_Some question on Binpac
Robin Sommer
robin at icir.org
Wed Jul 13 09:47:53 PDT 2011
On Tue, Jul 12, 2011 at 20:28 -0700, you wrote:
> to see what traffic are coming in and what traffic are going out. But i am
> using the traffic dump to test, so how can Binpac know which traffic is
> coming in and going out?
Yes, in general that's a problem. Here's what Bro (and thus in turn
BinPAC) is doing:
(1) by default, the first packet of a new connection indicates the
originator.
(2) it however also looks at well-known ports: if with (1), the
connection would have a well-known port on the originator-side but
not on the responder-side, it flips the direction.
Is there a well-known port for this protocol? If so, add it to
policy/server-ports.bro and it should work. If not, you can trigger
the flipping yourslef by calling Connection::FlipRoles(), but you'd
need some heuristic to decide who's the client. BinPAC doesn't have
anything built in for that (yet). Also, flipping should occur as early
as possible, as otherwise things may get mixed up.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list