[Bro] webapp detection
Johanna Amann
johanna at icir.org
Tue May 30 10:30:59 PDT 2017
Hi,
you are probably intermingling two things here. Detect-webapps uses
signatures to find software like phpmyadmin; it is not used to find things
like Facebook traffic.
The second one is the software framework, which tracks software versions.
If you load the right scripts it, e.g., logs Windows versions as
determined from some http headers. This also is not used for facebook,
etc.
There was a script to perform logging of information of applications like
facebook (policy/misc/app-stats). This was removed in Bro 2.5, because it
was not maintained enough and not useful in its current state.
I hope that helps,
Johanna
On Mon, May 29, 2017 at 03:26:12PM +0200, Raj Kumar wrote:
> Hi All,
>
> Am trying to use the webapp detection script to detect webapps like
> facebook etc
>
> I saw previous threads it was mentioned to enable "*Make sure to set your
> Sites::local_net variable * If you set it to
> 0.0.0.0/0
>
> I have included 0.0.0.0/0 in networks.cfg,
>
> I have also included in local.bro
> @load protocols/http/detect-webapps
> redef Software::asset_tracking = ALL_HOSTS;
>
> still I couldnt see any webapps traffic mentioning facebook i could see
> only multicast address like 224.0.0.251
>
> Any solution ,much appreciated
>
> Thanks,
> *Raj*
> *IT Consultant*
> *Mobile: ** +45 **81923531*
>
> *Lyskær 9** [image: Inline images 1]*
>
> *2730 Herlev, Denmark *
>
> *Web: **http://www.capmon.dk <http://www.capmon.dk/>*
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list