[Bro] Bro Digest, Vol 28, Issue 2
Miguel Angel Calvo Moya
mangel12321 at hotmail.com
Tue Aug 5 01:42:18 PDT 2008
> If u are using hostname.bro which may load brolite.bro(it will load http.bro), and http_ports is defined in http.bro as well, you may find the following lines -
>
> # DPM configuration.
> # global http_ports = {
> # 80/tcp, 81/tcp, 631/tcp, 3138/tcp,
> # 8000/tcp, 8080/tcp, 8888/tcp,
> # } &redef;
>
> I comment them out, instead in snort.bro I comment out one line and add the similar config in http.bro
>
> #const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
> global http_ports = {
> 80/tcp, 81/tcp, 631/tcp, 3128/tcp,
> 8000/tcp, 8080/tcp, 8888/tcp,
> } &redef;
>
> Then try to run it again and see if it works.
As you suggested I declared http_posts at snort.bro as 'global' instead of 'const'. It did not work. Fortunately, when declaring http_ports as
global http_ports = {
80, 81, 631, 3128,
8000, 8080, 8888
} &redef
without '/tcp' the signature works. Since 'ip-proto == tcp' is already set, the results will not differ, am I right?
Thank you
Miguel
More information about the Bro
mailing list