[Bro] Dynamic Protocol Detection
Robin Sommer
robin at icir.org
Mon Jan 8 16:31:56 PST 2007
On Sun, Dec 24, 2006 at 10:22 +0800, CS Lee wrote:
> seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I'm wondering
> why it happens as if the http analyzer is disabled then the ids can be
> evaded.
Hard to say without seeing the actual packets. Can you send me the
trace of that connection?
> redef restrict_filters += [ ["cpanel2"] = "not (port 7777)" ];
> redef restrict_filters += [ ["cpanel3"] = "not (port 7778)" ];
[...]
> redef restrict_filters += [ ["cpanel3"] = "not (port 7785)" ];
Assuming that this is not just a typo in the mail, you're using the
same index twice (cpanel3), and therefore the second entry for that
index overrides the first one, and you are going to see packets on
port 7778. If you load print-filter.bro, you see what Bro's packet
filter looks like.
Note that another way for suppressing alerts for certain
ports/servers is redefining ProtocolDetector::valids. See
detect-protocols.bro for exampleas.
> BRO_CREATE_TRACE_FILE=NO
> # BRO_CREATE_TRACE_FILE=NO
(Can't say much about this, but probably it's a small bug in the
shell script.)
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list