[Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols?
(peter)
45070198 at qq.com
Mon May 19 21:48:29 PDT 2014
Hi,
The bro documents claims that it supports the port-independent analysis protocol, but in the practice, it is not.
In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following:
const ports = { 1080/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
}
I started the bro, and created a socks-server. Only the port equals 1080, the bro could detect it! How could I detect the socks protocol if I started the socks with other port ?
peter,
More information about the Bro
mailing list