[Bro] Redefine const that does not have "&redef" attribute

Hosom, Stephen M hosom at battelle.org
Wed Jan 14 09:06:41 PST 2015 

Without the &redef flag set, you can't redefine a constant. You would have to modify Bro's HTTP scripts in order to make the change you are trying to make. That is generally a bad idea.

I suspect that you're trying to get Bro to detect HTTP on a non-standard port. If this is the case, then you are likely already analyzing the traffic, as Bro dynamically detects HTTP running on any port and analyzes it all the same. Try capturing the non-standard HTTP and running it through Bro to see if it finds it, I'll bet that it does.

The signatures that enable the HTTP analyzer on non-standard ports are located at bro/scripts/base/protocols/http/dpd.sig ( https://github.com/bro/bro/blob/master/scripts/base/protocols/http/dpd.sig ) . Don't modify those either though.

If you truly have found an HTTP traffic pattern that Bro isn't detecting, you should write a signature similar to these ones, and include 'enable "http"' like they have done here. Here's a link to the documentation on signatures:
https://www.bro.org/sphinx-git/frameworks/signatures.html

Let me know how it goes!

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Ward Sladek
Sent: Wednesday, January 14, 2015 10:54 AM
To: bro at bro.org
Subject: [Bro] Redefine const that does not have "&redef" attribute

I want to redefine Bro's HTTP ports but I'm not having any luck...

The following code is in base/protocols/http/main.bro

    const ports = {
            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,
    };
    redef likely_server_ports += { ports };


Here is what I've tried:

    redef HTTP::ports = {
            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,
    };

Which generates error "already defined (HTTP::ports)"....  I also tried:


    const custom_http_ports = {
            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,
    };

    redef HTTP::likely_server_ports += { custom_http_ports };

Which generates error ""redef" used but not previously defined (HTTP::likely_server_ports)"

A nudge in the right direction would be appreciated.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150114/c73d729a/attachment-0001.html

More information about the Bro mailing list