[Bro] Bro and unusual http ports

Castle, Shane scastle at bouldercounty.org
Tue Nov 20 15:58:13 PST 2012 

I've made some progress here. I copied some of the components from ./base/protocols/http/main.bro and created a local script in ./site, naming it local-http-add.bro, and used a @load in local.bro for it. It's pretty short.

---------------------------------------------------------------------
const ports = {
        80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3000/tcp,
        3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp,
};

redef dpd_config += {
        [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
};

redef capture_filters +=  {
        ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3000 or 3138 or 8000 or 8080 or 8888)"
};

redef likely_server_ports += { 3000/tcp };
---------------------------------------------------------------------

Anyhow, this works, and does what I want. If there's a more succinct way of doing this I haven't figured it out.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Castle, Shane
Sent: Tuesday, November 20, 2012 13:55
To: Seth Hall
Cc: bro at bro-ids.org List
Subject: Re: [Bro] Bro and unusual http ports

Nope, it was there. Just checked with the saved version that doesn't work.

Maybe I've tickled a bug in 2.0? I've been putting off the 2.1 upgrade but maybe now I shouldn't.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Tuesday, November 20, 2012 13:52
To: Castle, Shane
Cc: Seth Hall; bro at bro-ids.org List
Subject: Re: [Bro] Bro and unusual http ports


On Nov 20, 2012, at 3:25 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:

> I was putting this in site/local.bro. If I use the "add" expression, I get this sort of error message:
> 
> error in /usr/local/share/bro/policy/misc/loaded-scripts.bro, line 3: syntax error, at or near "module"


Is it possible you forgot the semicolon at the end of the line?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list