[Bro] dpd unknown port
Juan Caballero
juan.caballero at imdea.org
Mon Jul 21 06:26:54 PDT 2014
Hi all,
With Bro 2.2 and/or 2.3 what is the best way to tell Bro that I want a DPD
signature to be matched on any connection regardless of port?
I know I can use Analyzer::register_for_ports at bro_init to enable a set of
ports to analyze with an analyzer, but I have a case where I cannot predict
a priori the destination port in use by the protocol. It does not seem like
I can pass wildcards to register_for_port(s). If I have a DPD signature for
the protocol (e.g., for HTTP) what is the easiest way to tell Bro to use the
signature on any connection regardless of port? Can this be done on the
scripting layer? If not, any pointers to where do I need to modify the code
to hook say the HTTP analyzer for every connection? (I am not concerned
about efficiency as I am running Bro on pcaps)
BTW, I searched the mailing list for a reply but all hits I found for Bro
2.2 and 2.3 referred to Analyzer::register_for_ports
Thanks,
Juan
More information about the Bro
mailing list