[Bro] Protocol Analyzer
Ben Mixon-Baca
bmixonb1 at cs.unm.edu
Thu Sep 22 07:49:32 PDT 2016
Thanks, Johanna! That gives me a place to start.
On 09/21/2016 11:11 PM, Johanna Amann wrote:
> Hello Ben,
>
> the easiest way to accomplish this is probably to look into the c$service
> field - if it is empty, no analyzer has flagged that it can succesfully
> parse the protocol yet.
>
> This is, however, not perfect - c$service is populated by the
> protocol_confirmation/violation. Thus, it will only be set after a parser
> accepts that a connection actually "speaks" a protocol; so you will
> probably get the first few pacjets for every connection - see
> base/frameworks/dpd/main.bro for more details.
>
> Apart from that, you can also check Analyzer::registered_ports for ports
> where Bro always tries to attach a specific analyzer.
>
> I hope this helps,
> Johanna
>
> On Wed, Sep 21, 2016 at 04:29:05PM -0600, Ben Mixon-Baca wrote:
>> Hi,
>>
>> I am doing low level packet inspection using the tcp_packet event. I am
>> wondering if there is a way to inspect only the tcp payload if it
>> doesn't parse to any well-known tcp based application. For example, if
>> an application uses 20394/tcp for TLS, I would not want to see this
>> payload. However, if the application using 20394/tcp has a payload that
>> doesn't parse to anything Bro speaks, I would like to be able to inspect
>> this tcp payload.
>>
>> Thanks in advance!
>>
>> --
>> Ben
>>
>
>
>
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/53e12673/attachment.bin
More information about the Bro
mailing list