[Bro] bro for application identification
Charalampos Rotsos
cr409 at cam.ac.uk
Tue Dec 8 03:14:44 PST 2009
Robin Sommer wrote:
> On Fri, Dec 04, 2009 at 12:50 +0000, you wrote:
>
>
>> dpd, conn, bittorrent,, dhcp, dns, ftp, gnutella, http, ident, icmp,
>> irc, login, nfs, ntp, pop3, rsh, ssh, tcp, smtp, tftp, udp
>>
>> and use the conn.log file to check the label of a flow.
>>
>
> That works, but make sure to set dpd_conn_logs in conn.bro to true
> to have the DPD-information actually show up in the service field
> (the default there is still port-based classification, for backwards
> compatibility).
>
> Also note that not all protocol analyzers already support DPD, so
> for some from your list above, you will not see any DPD results.
> (The quick hack to find out which ones are supported is "grep
> ProtocolConfirmation src/*.cc").
>
>
>> Is there a better to perform this task?
>>
>
> It depends on what you want to use the results for. If the
> connection log has all you need, then this makes sense. There's also
> detect-protocols.bro to report protocols on non-standard ports via
> Notices. And there are hooks into the protocol detection if you need
> more control; the protocol_{confirmation,violation} events inform
> you about what DPD finds.
>
What I want to do is to ground truth a network trace. I want to use as
many protocol analysers as possible in order to reduce the manual
verification of the label.
In case I load the detect-protocols script, I will see the results of
the analysis on conn.log?
> Robin
>
>
More information about the Bro
mailing list