Hi,
The bro documents claims that it supports the port-independent analysis protocol, but in the practice, it is not.
In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following:
const ports = { 1080/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
}
I started the bro, and created a socks-server. Only the port equals 1080, the bro could detect it! How could I detect the socks protocol if I started the socks with other port ?
peter,
Take a look at socks/dpd.sig. Those are the signatures that are running and attempting to identify off-port SOCKS connections.
.Seth
Seth,
In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following:
Take a look at socks/dpd.sig. Those are the signatures that are running and attempting to identify off-port SOCKS connections.
Yes, I had saw it, and I thought it would work like that. But, the bro only could detect and generate the socks.log when the socks server used port 1080/tcp, not other ports.
How could I configure it for detecting socks, which use other port?
Best,
peter
It should work. If it's not you need to provide a packet capture that shows it not working.
.Seth