[Bro] How to get anything into c$service

Robin Sommer robin at icir.org
Sat Sep 22 11:23:27 PDT 2007


On Fri, Sep 21, 2007 at 18:52 -0700, you wrote:

> However, the service set remains empty in new_connection and
> connection_finished events. I guess that makes sense for the former
> event, but not the latter, so what else do I need?

"services" is set at a few locations whenever some script believes
it has recognized a service. Most importantly that's DPD's protocol
detection[1] but also, e.g., ftp-data and portmapper connections. 

The crucial point is that you need to have some analyzer running
which takes the decision. Assuming dpd_conn_logs=T, I get for
example service={HTTP} for HTTP sessions once I load http-request.

Robin

[1] Also applies to standard ports, i.e., even without running the
DPD signatures. 

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list