[Bro] DPD and similar analysis

Robin Sommer robin at icir.org
Tue Dec 2 13:30:16 PST 2008 

On Mon, Dec 01, 2008 at 12:06 -0800, you wrote:

> or icmp)". To get bro to report ALL servers found, I temporarily 
> modified detect-protocols.bro and commented out the two sections that 
> would prevent generating notices for "well known ports" (using 
> dpd_config). So I would expect to see ServerFound messages for all 
> protocols that have been detected.

Hmm... I can't reproduce that. Likewise commenting out the
dpd_config check in detect_protocols.bro and running with a tiny SSH
trace I get:

> bro -r ssh.trace ssh dpd detect-protocols
1150485521.634103 ProtocolFound XXX.XXX.XXX.XXX/49244 > XXX.XXX.XXX.XXX/ssh SSH on port 22/tcp
1150485521.634103 ServerFound XXX.XXX.XXX.XXX: SSH server on port 22/tcp

> bro -r pcapfile.pcap conn dpd irc-bot dyn-disable detect-protocols 
> detect-protocols-http proxy http ssh zzz-custom

Note that you should use http-request instead of http, and
potentially also load http-{reply,body}.bro.

> Once I figure this out, then I'll use DPD for it's intended purpose: to 
> detect protocols on non-standard ports. However, I'm also supposed to do 
> the inverse, that is, detect non-standard protocols on standard ports. Any 
> thoughts on how I could do this?

dyn-disable reports ProtocolViolations when the analyzer can't parse
the protocol, which is an indicator that there might be something
running on that port which isn't the standard protocol.

Also, if you enable dpd_conn_logs in conn.bro, the service field
indicates the DPD result, including whether it could *not* parse the
protocol.  From CHANGES:

  The new script variable dpd_conn_logs (default F), if true,
  changes the semantics of the service field in connection logs
  written to conn.log, as follows (Robin Sommer).  It becomes a
  comma-separated list of analyzers confirmed by DPD to parse the
  connection's payload.  If no analyzer could confirm its protocol,
  but the connection uses a well-known port, the service is the name
  of the port with "?" appended (e.g., "http?"), as long as the
  corresponding analyzer has not declined the connection. In
  addition, ftp-data sessions are labeled "ftp-data" and portmapper
  connections are labeled with the specific method-call (just as
  before).

  dpd_conn_logs defaults to F because the change in semantics may
  break scripts that parse conn.logs; but it will likely change to
  the default in the future. With dpd_conn_logs turned off, conn
  logs are generated as they used to be, with a few rare exceptions
  (with previous versions, the service field was sometimes
  determined while the connection was still alive; now it's always
  determined at the time when the conn.log entry is written out).
  
Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list