[Bro] dpd unknown port
Juan Caballero
juan.caballero at imdea.org
Mon Jul 21 09:25:42 PDT 2014
Hi Jon,
Thanks for your answer
> It sounds like you want to write a signature [1] with a particular
"payload" content condition
In my case I simply want to use protocols such as HTTP for which Bro already
has a DPD signature, so no need to create a new one
> and an "enable" action to active a particular protocol analyzer.
This is the step I do not know how to do. The only "enable" function I see
is "Analyzer::enable_analyzer(Analyzer::ANALYZER_HTTP)"
However when I use that function it does not seem to enable the DPD
signature for all ports, i.e., an HTTP connection on port 7623/tcp does not
get analyzed unless I use Analyzer::register_for_ports to add port 7623/tcp
Any suggestions for this step?
Thanks,
Juan
More information about the Bro
mailing list