[Bro] HTTP Question
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Fri Nov 9 11:06:11 PST 2007
On Fri, Nov 09, 2007 at 01:54:19PM -0500, Jean-Philippe Luiggi composed:
> Diogo Corteletti de Oliveira a écrit :
> > Hello,
> >
> > Can BRO alarm on non-http traffic over port 80?
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
> Hello Diogo,
>
> I think so if you use DPD (dynamic protocol detection).
> Please note there's already a file "detect-protocols.bro" which
> is able to find connections with protocols on non-standard ports.
>
> Best regards,
>
> Jean-philippe.
Note also to make this more reliable, you should set dpd_buffer_size
to a significantly longer size, otherwise larger POST requests may not
be recognized.
EG,
redef dpd_buffer_size = 4096;
or
redef dpd_buffer_size = 10000;
--
Nicholas C. Weaver nweaver at icsi.berkeley.edu
This message has been ROT-13 encrypted twice for higher security.
More information about the Bro
mailing list