[Bro] Dynamic Protocol Detection

CS Lee geek00l at gmail.com
Sat Dec 23 18:22:44 PST 2006 

Gentle people,

I have enabled dpd in brolite.bro with

const use_dpd = T;

At the same time I also comment out this line because I want to look into
port 80 traffics.

# redef restrict_filters += [ ["not-http"] = "not (port 80)" ];

I get a lot of this

.....
t=1166923564.867909 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS
sa=1.2.3.5sp=46616/tcp da=
1.2.3.4
dp=80/tcp msg=1.2.3.5/46616\ >\ 1.2.3.4/http\ analyzer\ HTTP\ disabled\ due\
to\ protocol\ violatio
n sub=not\ a\ http\ request\ line tag=@5618
.....

In the wiki, it says that Bro can disable an analyzer on the fly if that
finds that it cannot parse a connection's payload---which most probably
means the protocol detection went wrong. I'm curious about the protocol
violation part. From what I have studied if I enable dpd, it should examine
the traffics via dpd.sig before determine which protocol is used. Since I
have pcap logging, I try to examine the traffic manually with tcpdump and it
seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I'm wondering
why it happens as if the http analyzer is disabled then the ids can be
evaded.

Another strange behaviour is the

redef restrict_filters += [ ["not-http"] = "not (port 80)" ];

I have few ports running http traffic, so I need to avoid the report of http
traffics running on port other than 80. For example I have two ports such as
ports 7777 and 7778 running some http kind of daemon, so to do it I just add
this in the dpd section of brolite.bro

redef restrict_filters += [ ["cpanel2"] = "not (port 7777)" ];
redef restrict_filters += [ ["cpanel3"] = "not (port 7778)" ];

So it works as expect but when I add another port for example port 7785
below above two lines,

redef restrict_filters += [ ["cpanel3"] = "not (port 7785)" ];

Suddenly it doesn't work and report http traffics running on those ports. So
I'm curious if anyone have this similar issue. I have tried to define
multiple ports with not(port 7777 and port 7778)  for example but it doesn't
work, I read the wiki and it says that restrict_filters introduces "and" so
that's why I have to specify multiple restrict_filters instead.

One interesting issue also that happens to me is that I have tried to enable
the full trace in bro.cfg,

BRO_CREATE_TRACE_FILE=YES

It logs the pcap correctly, so I try to disable it with

BRO_CREATE_TRACE_FILE=NO

Then restart bro-ids with bro.rc checkpoint, however it is still logging,
thus I have to comment out the line

# BRO_CREATE_TRACE_FILE=NO

Restarting bro-ids again and this time the full pcap logging no longer
works. That's all, I know sooner this will be replaced by time machine for
full content logging but just would like to know if this is my problem or
anyone have this.

Thanks and cheers.



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061224/4c3ae286/attachment.html

More information about the Bro mailing list