[Bro] dpd unknown port
Siwek, Jon
jsiwek at illinois.edu
Mon Jul 21 07:54:27 PDT 2014
On Jul 21, 2014, at 8:26 AM, Juan Caballero <juan.caballero at imdea.org> wrote:
> If I have a DPD signature for
> the protocol (e.g., for HTTP) what is the easiest way to tell Bro to use the
> signature on any connection regardless of port? Can this be done on the
> scripting layer?
It sounds like you want to write a signature [1] with a particular “payload” content condition and an “enable” action to active a particular protocol analyzer.
- Jon
[1] http://www.bro.org/sphinx/frameworks/signatures.html
More information about the Bro
mailing list