[Bro] DPD not getting expected results
Eric Thomas
edthoma at sandia.gov
Mon Jan 12 13:39:14 PST 2009
I'm running bro in offline mode (-r) trying to get various aspects of DPD
to work. I needed a good trace to test, so I configured system B's SSH to
run on ports 22, 23, and 80. Then I got a packet trace (tcpdump -w) while
SSH'ing from system A to those three ports on system B.
I ran bro on the trace with the following policy files (in this order):
notice conn dpd irc-bot dyn-disable detect-protocols detect-protocols-http
proxy http-request http-reply ssh zzz-custom
zzz-custom is my custom policy file for redefs. In that file I redef'd
dpd_conn_logs to T and ensured an all-inclusive capture_filter.
The results are not what I was hoping for. I expected, because I enabled
dpd_conn_logs, that SSH would be properly detected and the conn log would
indicate that. Instead, there is a ? appended after the name of the port,
which indicates the protocol wasn't parsed. I expected to see
ProtocolViolation messages in the notice log because of the non-http
protocol on port 80 (this is a feature of dyn-disable). And I expected to
see ProtocolFound and ServerFound notices because of the SSH protocol on a
non-standard port (according to the wiki, that code is in
detect-protocols.bro). None of the three things I expected to happen
happened.
My notice log is completely empty. And the conn log has the three
connections I expected (albiet with the missing detected protocol). I'm
running bro 1.4. Any ideas on what I'm doing wrong here?
Eric T
edthoma at sandia.gov
More information about the Bro
mailing list