hi miguel,

If u are using hostname.bro which may load brolite.bro(it will load http.bro), and http_ports is defined in http.bro as well, you may find the following lines -

DPM configuration.

global http_ports = {

80/tcp, 81/tcp, 631/tcp, 3138/tcp,

8000/tcp, 8080/tcp, 8888/tcp,

} &redef;

I comment them out, instead in snort.bro I comment out one line and add the similar config in http.bro

#const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
global http_ports = {
80/tcp, 81/tcp, 631/tcp, 3128/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
} &redef;

Then try to run it again and see if it works.

Cheers

If u are using hostname.bro which may load brolite.bro(it will load http.bro), and http_ports is defined in http.bro as well, you may find the following lines -

# DPM configuration.
# global http_ports = {
# 80/tcp, 81/tcp, 631/tcp, 3138/tcp,
# 8000/tcp, 8080/tcp, 8888/tcp,
# } &redef;

I comment them out, instead in snort.bro I comment out one line and add the similar config in http.bro

#const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
global http_ports = {
        80/tcp, 81/tcp, 631/tcp, 3128/tcp,
        8000/tcp, 8080/tcp, 8888/tcp,
} &redef;

Then try to run it again and see if it works.

As you suggested I declared http_posts at snort.bro as 'global' instead of 'const'. It did not work. Fortunately, when declaring http_ports as

global http_ports = {
         80, 81, 631, 3128,
         8000, 8080, 8888
} &redef

without '/tcp' the signature works. Since 'ip-proto == tcp' is already set, the results will not differ, am I right?

Thank you
Miguel

Ah, I see. That's a bug. Can you try the attached patch and see if
that solves the problem?

Robin

ports.diff (531 Bytes)

without ‘/tcp’ the signature works.

Ah, I see. That’s a bug. Can you try the attached patch and see if
that solves the problem?

Thank you Robin,

The patch did work.

Thank you
Miguel