Hi,
I am trying to use bro for payload based application identification from
a pcap trace. I am currently loading the following bro files:
dpd, conn, bittorrent, dhcp, dns, ftp, gnutella, http, ident, icmp,
irc, login, nfs, ntp, pop3, rsh, ssh, tcp, smtp, tftp, udp
and use the conn.log file to check the label of a flow.
Is there a better to perform this task?
Haris.
dpd, conn, bittorrent, dhcp, dns, ftp, gnutella, http, ident, icmp,
irc, login, nfs, ntp, pop3, rsh, ssh, tcp, smtp, tftp, udpand use the conn.log file to check the label of a flow.
That works, but make sure to set dpd_conn_logs in conn.bro to true
to have the DPD-information actually show up in the service field
(the default there is still port-based classification, for backwards
compatibility).
Also note that not all protocol analyzers already support DPD, so
for some from your list above, you will not see any DPD results.
(The quick hack to find out which ones are supported is "grep
ProtocolConfirmation src/*.cc").
Is there a better to perform this task?
It depends on what you want to use the results for. If the
connection log has all you need, then this makes sense. There's also
detect-protocols.bro to report protocols on non-standard ports via
Notices. And there are hooks into the protocol detection if you need
more control; the protocol_{confirmation,violation} events inform
you about what DPD finds.
Robin
Robin Sommer wrote:
dpd, conn, bittorrent, dhcp, dns, ftp, gnutella, http, ident, icmp,
irc, login, nfs, ntp, pop3, rsh, ssh, tcp, smtp, tftp, udpand use the conn.log file to check the label of a flow.
That works, but make sure to set dpd_conn_logs in conn.bro to true
to have the DPD-information actually show up in the service field
(the default there is still port-based classification, for backwards
compatibility).Also note that not all protocol analyzers already support DPD, so
for some from your list above, you will not see any DPD results.
(The quick hack to find out which ones are supported is "grep
ProtocolConfirmation src/*.cc").Is there a better to perform this task?
It depends on what you want to use the results for. If the
connection log has all you need, then this makes sense. There's also
detect-protocols.bro to report protocols on non-standard ports via
Notices. And there are hooks into the protocol detection if you need
more control; the protocol_{confirmation,violation} events inform
you about what DPD finds.
What I want to do is to ground truth a network trace. I want to use as
many protocol analysers as possible in order to reduce the manual
verification of the label.
In case I load the detect-protocols script, I will see the results of
the analysis on conn.log?