[Bro] "services" variable referenced in known-services.bro
Seth Hall
seth at icir.org
Fri Jun 5 11:20:38 PDT 2015
> On Jun 5, 2015, at 11:25 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>
>
> I'm using known-services to build a list of observed network conversations and the protocols being used. Known-services detects the TCP conversations, but I want to include UDP conversations as well. Known-services.bro seems to use a global variable, "services”;
�
The service field is a component of DPD (dynamic protocol detection) and the analyzer code in general. You can find the script that actually populates that field here though:
https://github.com/bro/bro/blob/master/scripts/base/protocols/conn/main.bro#L182
��
That’s going to be a little misleading though because it’s just pulling data from deeper in the connection record into the log. The real story is that this is done as part of DPD where protocols are guessed at with signatures and then a parser is attached. Once the parser positively confirms that the protocol is in fact that protocol that the signature matched then it will indicate the service.
The right way to think about the service field is to think of it as an indicator that a connection was successfully analyzed by a particular analyzer.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150605/32e14f16/attachment.bin
More information about the Bro
mailing list