Bro and unusual http ports

I have a device inside that communicates using a weird http port (3000/tcp). I have verified that it is not malicious but it annoys me, and I'd like to be able to track what it does using Bro. Unfortunately, Bro is not recognizing its traffic as http. I've tried adding the port to likely_server_ports but to no avail. The port definitions in the base http scripts are not redef-able, and I seem to have hit my limit in tweaking Bro to make it decode this traffic.

What am I missing?

BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.

What am I missing?

Could you send me a packet capture? I'm curious as to why the signature isn't matching.

BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.

Hah! Yeah, not much difference between 2.0 and 2.1 with this, the change to it will be coming with 2.2. :slight_smile:

If you want to add port 3000/tcp as an HTTP port you can add this to a script…

add dpd_config[ANALYZER_HTTP]$ports[3000/tcp];


Interesting ... Seth, is it possible to add portranges and standalone
ports too at the same time?? or is it needed to define every http
port?? For example:

add dpd_config[ANALYZER_HTTP]$ports[3001/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3002/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3003/tcp];
add dpd_config[ANALYZER_HTTP]$ports[3004/tcp];
add dpd_config[ANALYZER_HTTP]$ports[5000/tcp];

You would need to add each port individually. Why would you want to add large swaths of ports though? Port number is only one of the heuristics used to find which analyzer to use on a connection.


This is giving me no joy on Bro 2.0, which barfs on seeing the "add" expression. When I try to emulate what base/protocols/http/main.bro does with

redef dpd_config += { [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = set(3000/tcp)] };

I wind up having replaced the port list instead of adding to it. Also, the capture_filters var seems to need updating or replacing.

Any ideas? I'm out.

You need to make sure that add statement is outside of any event handler. Are you putting it in a bro_init event handler? (it helps if you give us the error message you got when something didn't work) :slight_smile:


I was putting this in site/local.bro. If I use the "add" expression, I get this sort of error message:

error in /usr/local/share/bro/policy/misc/loaded-scripts.bro, line 3: syntax error, at or near "module"

The name of the script is determined by whatever is "@load"ed after the occurrence of the "add". In the above, I put as first in local.bro. If I put it in last, I get

error in /usr/local/share/bro/policy/frameworks/control/controllee.bro, line 15: syntax error, at or near "module"

Of course, these are generated by "broctl check".

Is it possible you forgot the semicolon at the end of the line?


Nope, it was there. Just checked with the saved version that doesn't work.

Maybe I've tickled a bug in 2.0? I've been putting off the 2.1 upgrade but maybe now I shouldn't.

I've made some progress here. I copied some of the components from ./base/protocols/http/main.bro and created a local script in ./site, naming it local-http-add.bro, and used a @load in local.bro for it. It's pretty short.