[Bro] Filtering based on port-number
Peter Erickson
redlamb19 at gmail.com
Thu Oct 7 12:41:00 PDT 2010
I thought the same thing when I first started looking at Bro and it's
dynamic protocol detection (dpd) about 2 months ago. Take a look at the
dpd wiki page which gives a good description of how it works. It also
states:
when loading dpd you may need to change the filter to include all
packets, e.g. on the command line:
bro -f "tcp or udp or icmp" ...
** Sunjeet Singh <sstattla at gmail.com> [2010-10-07 10:47:06 -0700] **
> Hi,
>
> The Bro Analyzers operate on the principle that port number is not a
> good indicator of protocol. But the filtering step does exactly the
> opposite.
>
> For example, the filter applied when the default brolite.bro policy file
> is used is-
> ((((((((((port telnet or tcp port 513) or (tcp[13] & 7 != 0)) or (tcp
> dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (tcp src port
> 80 or tcp src port 8080 or tcp src port 8000)) or (port 111)) or
> ((ip[6:2] & 0x3fff != 0) and tcp)) or (udp port 69)) or (port 6666)) or
> (tcp port smtp or tcp port 587)) or (port ftp)) or (port 6667)
>
> Thanks to the filtering step,
> 1. Bro will analyze some traffic that didn't belong to any of the
> 'relevant' protocols until it realizes that it can safely be discarded, and
> 2. Bro will not analyze traffic that belonged to one of the relevant
> protocols because it was filtered out for not being used on the standard
> port.
>
> Is this true? And if so, is this an okay side-effect to have of the
> filtering step?
>
More information about the Bro
mailing list