[Zeek] Which services are identified in conn.log by bro?
anthony kasza
anthony.kasza at gmail.com
Tue May 28 08:14:18 PDT 2019
You can find how this field gets set by grepping through Zeek's source.
```
$ grep -R '\$service' ./scripts | grep 'add'
./scripts/base/frameworks/dpd/main.bro: add c$service[analyzer];
./scripts/base/frameworks/dpd/main.bro: add c$service[fmt("-%s", analyzer)];
./scripts/base/protocols/ftp/main.bro: add c$service["ftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp"];
./scripts/base/protocols/irc/dcc-send.bro: add c$service["irc-dcc-data"];
```
Most services are identified via the Dynamic Protocol Detection (DPD)
framework.
https://www.zeek.org/development/howtos/dpd.html
Looking at `scripts/base/frameworks/dpd/main.bro`, you can see that
the service field is set within the protocol_confirmation() scriptland
event which is generated by protocol analyzers in C++land. The
ProtocolConfirmation() function from `src/analyzer/Analyzer.cc` is how
the scriptland event is called.
Grepping for that function in the source shows 29 different protocol
analyzers.
```
$ grep -R 'ProtocolConfirmation' ./src/* | cut -f1 -d':' | grep
'protocol' | cut -d'/' -f5 | sort -u
ayiya
bittorrent
dce-rpc
dhcp
dnp3
dns
ftp
gssapi
gtpv1
http
imap
irc
krb
modbus
mysql
ntlm
pop3
radius
rdp
rfb
sip
smb
smtp
snmp
socks
ssh
ssl
teredo
xmpp
```
It seems that there are, in total, 33 possible connection service values.
-AK
On Mon, May 27, 2019, 23:10 Sachinji Giri <sachin.giribuva at niyuj.com> wrote:
> Hi all,
>
> I am looking for the list of services that bro/zeek identifies in
> conn.log. But I am unable to find out exactly how many services bro
> identifies. Can someone please point out to me the correct script le or
> source code or documentation where I can get the list of services that bro
> detects?
>
> Documentation says :
>
>> application-layer services ( - the service field is filled in as Bro
>> determines a specific protocol to be in use, independent of the
>> connection’s ports)
>>
>
>
>
> But where are these services defined? How many are identified in the
> conn.log?
>
> Thanks in advance!
>
> Regards,
>
> Sachin Giri
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190528/2d119847/attachment.html
More information about the Zeek
mailing list