[Bro] HTTP Question
Jean-Philippe Luiggi
jp.luiggi at free.fr
Fri Nov 9 12:39:27 PST 2007
Diogo Corteletti de Oliveira a écrit :
> Yeah! You are right there's also "detect-protocols-http.bro"
>> Hello Diogo,
>> I think so if you use DPD (dynamic protocol detection).
>> Please note there's already a file "detect-protocols.bro" which
>> is able to find connections with protocols on non-standard ports.
>>
>> Best regards,
>>
>> Jean-philippe
Hello Diego,
Yes, that's right, this one loads "detect-protocols.bro"
In fact, i think specifying the use of "dpd" in "brolite.bro" will give
all the things you want :
from brolite.bro :
====
## Dynamic Protocol Detection configuration
#
# This is off by default, as it requires a more powerful Bro host.
# Uncomment next line to activate.
const use_dpd = T;
@ifdef ( use_dpd )
@load dpd
@load irc-bot
@load dyn-disable
@load detect-protocols
@load detect-protocols-http
@load proxy
@load ssh
# By default, DPD looks at all traffic except port 80.
# For lightly loaded networks, comment out the restrict_filters
line.
# For heavily loaded networks, try adding addition ports (e.g.,
25) to
# the restrict filters.
redef capture_filters += [ ["tcp"] = "tcp" ];
redef restrict_filters += [ ["not-http"] = "not (port 80)" ];
@endif
====
Best regards,
Jean-philippe.
More information about the Bro
mailing list