[Bro] Bro Alarms

Diogo Corteletti de Oliveira diogo_c at brturbo.com.br
Mon Nov 12 10:02:02 PST 2007


Hello Guys,

                        One more question. After enabling the DPD and 
filtering it to only consider events on port 80 I am getting a lot of 
alarms for Google connections like the one bellow:

t=1194889271.174088 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS 
sa=x.x.x.x sp=4421/tcp da=209.85.165.189 dp=80/tcp msg=x.x.x.x/4421\ >\ 
209.85.165.189/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\ 
violation sub=not\ a\ http\ reply\ line tag=@877

                         I am assuming that this is an alert that could 
inform that someone is using a different protocol (not-http) on port 80. 
My objective (as stated in a previous e-mail) is to detect such a thing. 
The strange thing is that I tried to do this before with SourceFire's 
RNA and it alerted with google connections also. Could this mean that 
Google does not follow the HTTP RFC? Any suggestions?


Tks



More information about the Bro mailing list