[Bro-Dev] Detecting protocols without full analyzers

Slagell, Adam J slagell at illinois.edu
Sun May 8 09:57:40 PDT 2016

Some of the core developers of Bro have been having this discussion internally, and I’d like to bring it to the broader community.

It has been recognized that there are a lot of protocols for which we don’t have full analyzers that some would still like to detect in our conn.logs via simple signatures. A full analyzer is much harder to write and to do well. This creates a barrier to entry. Further, some protocols would not benefit much from deeper analysis because of encryption or other issues. However, it is still desirable to notice that such protocols and applications are used on your network.

I don’t think anyone disagreed that this could be useful, but the question would be how to do it in a maintainable way and where to put it. For example, would this be another field in the conn.log? Would this be turned on in Bro by default, would it be in the policy directory and not base, or would it be a separate plugin people could download if they want.

I’m not going to repeat all the arguments for or against different positions here; I’ll let people do that for themselves. I just want to start the conversation within the broader community.



Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

More information about the bro-dev mailing list