[Bro] Bro and unusual http ports

Castle, Shane scastle at bouldercounty.org
Tue Nov 20 10:27:00 PST 2012


This is giving me no joy on Bro 2.0, which barfs on seeing the "add" expression. When I try to emulate what base/protocols/http/main.bro does with

redef dpd_config += { [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = set(3000/tcp)] };

I wind up having replaced the port list instead of adding to it. Also, the capture_filters var seems to need updating or replacing.

Any ideas? I'm out.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Friday, November 16, 2012 19:14
To: Castle, Shane
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro and unusual http ports


On Nov 16, 2012, at 6:40 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:

> What am I missing? 

Could you send me a packet capture?  I'm curious as to why the signature isn't matching.

> BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.


Hah!  Yeah, not much difference between 2.0 and 2.1 with this, the change to it will be coming with 2.2. :)

If you want to add port 3000/tcp as an HTTP port you can add this to a script...

add dpd_config[ANALYZER_HTTP]$ports[3000/tcp];

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list