[Bro] reliable off-line protocol detection
Manuel Crotti
manuel.crotti at ing.unibs.it
Tue Aug 23 03:47:14 PDT 2005
Ciao,
I'm trying to make protocol detection on non-standart ports.
I set-up a apaci server on 777 and a mail server (postfix) on 778.
I captured packets with tcpdump.
I parsed dumps with a "bro -C -r protocolName.dump backdoor"
those are the "backdoor.log" results:
http.dump
> 1124720330.438091 10.20.188.212/32770 > 10.20.10.34/777 http-sig
> 1124720338.627503 10.20.188.212/32773 > 10.20.10.34/777 http-sig
> 1124720425.113738 10.20.188.212/32784 > 10.20.10.34/777 http-sig
smtp.dump
> 1124785239.632272 127.0.0.1/56034 > 127.0.0.1/778 ftp-sig
> 1124785306.080354 127.0.0.1/56037 > 127.0.0.1/778 ftp-sig
> 1124785591.602025 127.0.0.1/56048 > 127.0.0.1/778 ftp-sig
> 1124785606.143460 127.0.0.1/56050 > 127.0.0.1/778 ftp-sig
WHY? ( ©1992 Annie Lennox)
Best regards,
Manuel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050823/c2ce7f68/attachment.html
More information about the Bro
mailing list