[Bro] How to do with Bro 2.1

keqhe at cs.wisc.edu keqhe at cs.wisc.edu
Fri Oct 5 20:59:32 PDT 2012 

>
> On Oct 5, 2012, at 5:11 PM, keqhe at cs.wisc.edu wrote:
>
>> Bro 2.1 employs DPD to do application layer protocol classification.
>> That
>> is, it looks at the first few packet's payload to determine its service
>> type.
>
> Here's the paper that describes it in more detail if this helps:
> 	http://www.icir.org/robin/papers/usenix06.pdf
>
>> However, I notice that a large number of flows go through port 80 are
>> considered as TCP not HTTP. We just want Bro to do application layer
>> protocol classification based on port. What should I do?
>
> I think you're going to have to describe more about what you are actually
> seeing that you think is incorrect.  TCP and HTTP are different classes of
> protocol anyway since TCP is transport and HTTP is application.  Bro
> should be identifying supported protocols on any port and attaching an
> appropriate analyzer if one exists.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Hello Seth:

Thank you for your information, I have read the paper you mentioned.

I am wondering whether it is possible for Bro to do traffic analysis just
based on port. For example, traffic goes through port 80 is regarded as
http in traffic analysis. However, there are a large number of http
handshake flows such as "SYN-SYN/ACK-ACK". These flows mean there is no
data, but strictly speaking, they should be regarded as http traffic
although they carry no data. However, Bro2.1 just view these kinds of
flows as tcp. Can users modify its default standard for http? I mean how
to modify the event trigger for a certain application service. For
example, if some user just want to use port number to trigger http traffic
analyzer,  what should us users do? Is there any information for this
kinds of requirements?

Besides, I observe that Bro2.1 can only classify flows who can complete
three-way handshake successfully. If the flow is incomplete, Bro 2.1 do
nothing to try to  identify application layer protocols. Is it possible
for us users to modify this?

Thank again!

Keqiang

More information about the Bro mailing list