[Bro] bro for application identification
Robin Sommer
robin at icir.org
Sun Dec 6 15:38:19 PST 2009
On Fri, Dec 04, 2009 at 12:50 +0000, you wrote:
> dpd, conn, bittorrent,, dhcp, dns, ftp, gnutella, http, ident, icmp,
> irc, login, nfs, ntp, pop3, rsh, ssh, tcp, smtp, tftp, udp
>
> and use the conn.log file to check the label of a flow.
That works, but make sure to set dpd_conn_logs in conn.bro to true
to have the DPD-information actually show up in the service field
(the default there is still port-based classification, for backwards
compatibility).
Also note that not all protocol analyzers already support DPD, so
for some from your list above, you will not see any DPD results.
(The quick hack to find out which ones are supported is "grep
ProtocolConfirmation src/*.cc").
> Is there a better to perform this task?
It depends on what you want to use the results for. If the
connection log has all you need, then this makes sense. There's also
detect-protocols.bro to report protocols on non-standard ports via
Notices. And there are hooks into the protocol detection if you need
more control; the protocol_{confirmation,violation} events inform
you about what DPD finds.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list