[Bro] Application Layer Classification
Jean-Philippe Luiggi
jp.luiggi at free.fr
Mon Jan 15 08:25:33 PST 2007
Hello Christian,
As far i know, Bro's able to catch this problem but you need to use the
"DPD.bro" module.
>From brolite.bro :
====
## Dynamic Protocol Detection configuration
#
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
# const use_dpd = T;
@ifdef ( use_dpd )
@load dpd
@load irc-bot
====
Just uncomment "const use_dpd = T;" and you'll get it (it works as is at
home)
Best regards.
On Mon, Jan 15, 2007 at 03:59:02PM +0100, Christian Novello wrote:
> Dear all,
>
> here at Turin Polytechnic (Italy) we're working with Bro 1.2.1 and we're
> having some trouble in classifying packets that do not use a standard port.
> Unfortunately, a large part of our traffic does not belong to standard ports
> and therefore the validity of results we get from Bro are rather limited.
>
> Is there any way to let Bro recognize any HTTP session (for example) even if
> it does not have port 80 or 8080 or such? And... is it possible to
> generalize this behavior on any protocol?
>
> (Obviously, we can also modify the code; we should be extremely grateful if
> we can provide us some hints, just to start).
>
> Cheers,
>
> Christian
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list