I have a project to do DPD-like offline analysis and was looking for help and feedback. First off, I'm trying to make sure that DPD is working, so I tried to get bro to write ServerFound messages to the notice log. BTW, in all my tests I made sure my capture filter included "or (tcp or udp or icmp)". To get bro to report ALL servers found, I temporarily modified detect-protocols.bro and commented out the two sections that would prevent generating notices for "well known ports" (using dpd_config). So I would expect to see ServerFound messages for all protocols that have been detected. Here is my command line (zzz-custom just redefines capture_filters as stated above):
bro -r pcapfile.pcap conn dpd irc-bot dyn-disable detect-protocols detect-protocols-http proxy http ssh zzz-custom
When I run this against the pcap file that contains tons of HTTP, SSH and likely other traffic, the only ServerFound messages are for SSH. If I was getting DPD to work correctly, I would expect to find HTTP ServerFound messages. I'm looking to get bro to output all ProtocolFound and ServerFound messages, so any help to get that to happen would be appreciated.
Once I figure this out, then I'll use DPD for it's intended purpose: to detect protocols on non-standard ports. However, I'm also supposed to do the inverse, that is, detect non-standard protocols on standard ports. Any thoughts on how I could do this?
Sandia National Labs