[Bro] Filtering based on port-number
Sunjeet Singh
sstattla at gmail.com
Thu Oct 7 10:47:06 PDT 2010
Hi,
The Bro Analyzers operate on the principle that port number is not a
good indicator of protocol. But the filtering step does exactly the
opposite.
For example, the filter applied when the default brolite.bro policy file
is used is-
((((((((((port telnet or tcp port 513) or (tcp[13] & 7 != 0)) or (tcp
dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (tcp src port
80 or tcp src port 8080 or tcp src port 8000)) or (port 111)) or
((ip[6:2] & 0x3fff != 0) and tcp)) or (udp port 69)) or (port 6666)) or
(tcp port smtp or tcp port 587)) or (port ftp)) or (port 6667)
Thanks to the filtering step,
1. Bro will analyze some traffic that didn't belong to any of the
'relevant' protocols until it realizes that it can safely be discarded, and
2. Bro will not analyze traffic that belonged to one of the relevant
protocols because it was filtered out for not being used on the standard
port.
Is this true? And if so, is this an okay side-effect to have of the
filtering step?
Thank you,
Sunjeet Singh
More information about the Bro
mailing list