Application Layer Classification

Dear all,

here at Turin Polytechnic (Italy) we’re working with Bro 1.2.1 and we’re having some trouble in classifying packets that do not use a standard port.
Unfortunately, a large part of our traffic does not belong to standard ports and therefore the validity of results we get from Bro are rather limited.

Is there any way to let Bro recognize any HTTP session (for example) even if it does not have port 80 or 8080 or such? And… is it possible to generalize this behavior on any protocol?

(Obviously, we can also modify the code; we should be extremely grateful if we can provide us some hints, just to start).



Hello Christian,

As far i know, Bro's able to catch this problem but you need to use the
"DPD.bro" module.

Hi Christian,