[Bro] Redefine const that does not have "&redef" attribute

Ward Sladek wsladekjr at hotmail.com
Wed Jan 14 10:14:22 PST 2015


Thanks for the references and tips, that helps...  But I'm actually trying to do the opposite - instead of getting more detection, I'm trying to get less.  I want to exclude port 80 as our proxy has that covered (essentially causing duplication in SIEM)...


From: hosom at battelle.org
To: wsladekjr at hotmail.com; bro at bro.org
Subject: RE: [Bro] Redefine const that does not have "&redef" attribute
Date: Wed, 14 Jan 2015 17:06:41 +0000









Without the &redef flag set, you can’t redefine a constant. You would have to modify Bro’s HTTP scripts in order to make the change you are trying to make. That
 is generally a bad idea.
 
I suspect that you’re trying to get Bro to detect HTTP on a non-standard port. If this is the case, then you are likely already analyzing the traffic, as Bro
 dynamically detects HTTP running on any port and analyzes it all the same. Try capturing the non-standard HTTP and running it through Bro to see if it finds it, I’ll bet that it does.

 
The signatures that enable the HTTP analyzer on non-standard ports are located at bro/scripts/base/protocols/http/dpd.sig (

https://github.com/bro/bro/blob/master/scripts/base/protocols/http/dpd.sig ) . Don’t modify those either though.

 
If you truly have found an HTTP traffic pattern that Bro isn’t detecting, you should write a signature similar to these ones, and include ‘enable “http”’ like
 they have done here. Here’s a link to the documentation on signatures: 
https://www.bro.org/sphinx-git/frameworks/signatures.html

 
Let me know how it goes!
 


From: bro-bounces at bro.org [mailto:bro-bounces at bro.org]
On Behalf Of Ward Sladek

Sent: Wednesday, January 14, 2015 10:54 AM

To: bro at bro.org

Subject: [Bro] Redefine const that does not have "&redef" attribute


 

I want to redefine Bro's HTTP ports but I'm not having any luck...  



The following code is in base/protocols/http/main.bro



    const ports = {

            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,

    };

    redef likely_server_ports += { ports };





Here is what I've tried:



    redef HTTP::ports = {

            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,

    };



Which generates error "already defined (HTTP::ports)"....  I also tried:





    const custom_http_ports = {

            81/tcp, 631/tcp, 1080/tcp, 8000/tcp, 8888/tcp,

    };



    redef HTTP::likely_server_ports += { custom_http_ports };



Which generates error ""redef" used but not previously defined (HTTP::likely_server_ports)"



A nudge in the right direction would be appreciated.



Thanks 

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150114/b87b3721/attachment.html 


More information about the Bro mailing list