Detecting protocols without full analyzers

Development
1

Some of the core developers of Bro have been having this discussion internally, and I’d like to bring it to the broader community.

It has been recognized that there are a lot of protocols for which we don’t have full analyzers that some would still like to detect in our conn.logs via simple signatures. A full analyzer is much harder to write and to do well. This creates a barrier to entry. Further, some protocols would not benefit much from deeper analysis because of encryption or other issues. However, it is still desirable to notice that such protocols and applications are used on your network.

I don’t think anyone disagreed that this could be useful, but the question would be how to do it in a maintainable way and where to put it. For example, would this be another field in the conn.log? Would this be turned on in Bro by default, would it be in the policy directory and not base, or would it be a separate plugin people could download if they want.

I’m not going to repeat all the arguments for or against different positions here; I’ll let people do that for themselves. I just want to start the conversation within the broader community.

:Adam

2

I agree that detecting more protocols would certainly be useful, but I
remain skeptical of the mechanism: the proposal is to detect protocols
by relying only on signatures looking for characteristic byte
sequences; in contrast to the current DPD approach actually attempting
to parse the protocol. I am concerned about reliability with any
signatures-only approach.

Actually I would propose something else: we recently added minimal
analyzers for IMAP and XMPP that parse just the beginning of a
session---just enough to confirm the protocol and, in these cases,
also use of SSL. That's an approach that I think could work more
generally as well: even if a full analyzer isn't feasible, doing just
the standard DPD confirmation for a protocol should usually be pretty
straight-forward.

Robin

3

Is this what Justin did for RDP, because I don’t think that was much effort, was it Justin?

:Adam