[Bro] Unknown protocol in Bro
Robin Sommer
robin at icir.org
Sat Dec 29 05:00:27 PST 2007
On Thu, Dec 20, 2007 at 19:07 +0200, you wrote:
> If port value isn't handled I create instance of UnknownConnection class,
> which fair events for each request/reply of its connection. These events
> are handled in policy script and write the content to HDD.
>
> How can I do the same in new versions Bro?
The best location for such functionality should be
DPM::BuildInitialAnalyzerTree() in DPM.{h,cc} (DPM is the "dynamic
protocol manager()). In the new version of Bro, this method takes
the initial decision which analyzers to use for a connection, in
particular by checking whether there is a well-known port for any of
the protocols Bro supports.
Instead of creating an UnknownConnection class, you can derive a
class UnknownProtocolAnalyzer from class Analyzer and then add an
instance of that in BuildInitialAnalyzerTree() to the connection's
analyzer tree whenever there isn't any other analyzer to put in
charge.
The drawback of this approach is that you'll also be writing content
to disk for connections for which an analyzer is found later, e.g.,
via DPD's signature matching. If that is a problem (i.e., you don't
want to rely on well-known ports only for the content saving), an
alternative would be to instantiate the UnknownProtocolAnalyzer
later, e.g., only once the signature matching has been turned off.
Until this point all content is buffered so you wouldn't loose
anything. However, performance might affected somewhat with this
approach if there are a lot of connections with unsupported
protocols.
Let me know if you need more details on the DPD implementation.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list