[Bro] Problems adding http ports to bro (git version)
Vlad Grigorescu
vladg at cmu.edu
Tue Aug 13 04:18:47 PDT 2013
Let's back up a bit. Bro uses signatures to detect protocols on non-standard ports, and it should also be able to identify the server and the client.
Out of the box, Bro should be able to automatically detect HTTP on all ports for you. If that's not working, that means that there's a problem with either how you're running Bro, or that there's a bug in Bro.
How are you running Bro? What does the conn.log line look like for an HTTP connection on a non-standard port that Bro failed to detect? Do you have a PCAP of such traffic that you could share (anonymized is fine)?
Having said all that, to answer your original question: The way you specify these ports for DPD changed in 2.2. If you take a look at base/protocols/http/main.bro:
126 const ports = {
127 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
128 8000/tcp, 8080/tcp, 8888/tcp,
129 };
130 redef likely_server_ports += { ports };
131
132 # Initialize the HTTP logging stream and ports.
133 event bro_init() &priority=5
134 {
135 Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
136 Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
137 }
--Vlad
On Aug 13, 2013, at 6:47 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Nop, same result.
>
> On Tue, Aug 13, 2013 at 10:37 AM, Scott Runnels <srunnels at gmail.com> wrote:
>> Do you get a different result if you remove the trailing comma from
>> "51010/tcp,};" in the ports constant?
>>
>>
>> On Tue, Aug 13, 2013 at 5:55 AM, C. L. Martinez <carlopmart at gmail.com>
>> wrote:
>>>
>>> redef dpd_config += {
>>> [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
>>> };
>>
>>
>>
>>
>> Scott Runnels
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list