[Bro] Bro and unusual http ports

Mon Nov 19 02:55:59 PST 2012

On Sat, Nov 17, 2012 at 2:13 AM, Seth Hall <seth at icir.org> wrote:
>
> On Nov 16, 2012, at 6:40 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:
>
>> What am I missing?
>
> Could you send me a packet capture?  I'm curious as to why the signature isn't matching.
>
>> BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.
>
>
> Hah!  Yeah, not much difference between 2.0 and 2.1 with this, the change to it will be coming with 2.2. :)
>
> If you want to add port 3000/tcp as an HTTP port you can add this to a script…
>
> add dpd_config[ANALYZER_HTTP]$ports[3000/tcp];
>
>   .Seth
>

Interesting ... Seth, is it possible to add portranges and standalone
ports too at the same time?? or is it needed to define every http
port?? For example:

add dpd_config[ANALYZER_HTTP]$ports[3001/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3002/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3003/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3004/tcp];
add dpd_config[ANALYZER_HTTP]$ports[5000/tcp];