[Bro] How to do with Bro 2.1
Seth Hall
seth at icir.org
Wed Oct 10 17:55:25 PDT 2012
On Oct 10, 2012, at 6:55 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> For example, http://www.bro-ids.org/documentation/scripts/base/protocols/http/file-extract.html
> adds ports to the DPD config. Does this mean that Bro only uses DPD on
> traffic over those ports added to the ports list?
No, DPD has two operating heuristics. One heuristic which has been the focus of this thread is the port. The other heuristic is the signatures which current reside here:
http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/base/frameworks/dpd/dpd.sig
Analyzers will be attached to connections with the dpd_config variable and by signatures (multiple analyzers can simultaneously receive the data). Typically if more than one analyzer are instantiated for a connection, one of them will fail and be removed from the connection.
Does that clarify things more? I think that what you want to happen is in fact what's happening.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list