[Bro] How to do with Bro 2.1
keqhe at cs.wisc.edu
keqhe at cs.wisc.edu
Sat Oct 6 08:55:48 PDT 2012
>
> On Oct 5, 2012, at 11:59 PM, keqhe at cs.wisc.edu wrote:
>
>>> However, there are a large number of http
>> handshake flows such as "SYN-SYN/ACK-ACK". These flows mean there is no
>> data, but strictly speaking, they should be regarded as http traffic
>> although they carry no data.
>
> I don't agree that it should be regarded as HTTP traffic. Just because
> you have a wine glass doesn't mean it's full of wine. :)
>
> Typically the "service" field in the conn log is supposed to be understood
> as the protocol analyzer or analyzers that Bro used upon the connection
> successfully (since it can try analyzers and allow them to fail then
> remove them).
>
>> Besides, I observe that Bro2.1 can only classify flows who can complete
>> three-way handshake successfully. If the flow is incomplete, Bro 2.1 do
>> nothing to try to identify application layer protocols. Is it possible
>> for us users to modify this?
>
>
> This is a known issue and something that we've been planning on addressing
> in a generic way soon so that the analyzers will be able to "re-sync" to
> the traffic. There is a ticket somewhere in our tracker about it.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Hello, sorry to disturb you again. Do you know is there any document guiding
users to make http or https's identification just based on port number. In
other words, how to disable http and https signature matching function?
Bro does more than we expected, can we make his standard of judging http
and https weaker?
More information about the Bro
mailing list