[Bro] How to get anything into c$service
Robin Sommer
robin at icir.org
Sat Sep 22 11:23:27 PDT 2007
On Fri, Sep 21, 2007 at 18:52 -0700, you wrote:
> However, the service set remains empty in new_connection and
> connection_finished events. I guess that makes sense for the former
> event, but not the latter, so what else do I need?
"services" is set at a few locations whenever some script believes
it has recognized a service. Most importantly that's DPD's protocol
detection[1] but also, e.g., ftp-data and portmapper connections.
The crucial point is that you need to have some analyzer running
which takes the decision. Assuming dpd_conn_logs=T, I get for
example service={HTTP} for HTTP sessions once I load http-request.
Robin
[1] Also applies to standard ports, i.e., even without running the
DPD signatures.
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list