[Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols?

(peter) 45070198 at qq.com
Mon May 19 21:48:29 PDT 2014


 The bro documents claims that it supports the port-independent analysis protocol, but in the practice, it is not.

 In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following:

 const ports = { 1080/tcp };
redef likely_server_ports += { ports };

event bro_init() &priority=5
    Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
    Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);

  I started the bro, and created a socks-server.  Only the port equals 1080, the bro could detect it! How could I detect the socks protocol if I started the socks with other port ?


More information about the Bro mailing list