I'm running bro in offline mode (-r) trying to get various aspects of DPD to work. I needed a good trace to test, so I configured system B's SSH to run on ports 22, 23, and 80. Then I got a packet trace (tcpdump -w) while SSH'ing from system A to those three ports on system B.
I ran bro on the trace with the following policy files (in this order):
notice conn dpd irc-bot dyn-disable detect-protocols detect-protocols-http proxy http-request http-reply ssh zzz-custom
zzz-custom is my custom policy file for redefs. In that file I redef'd dpd_conn_logs to T and ensured an all-inclusive capture_filter.
The results are not what I was hoping for. I expected, because I enabled dpd_conn_logs, that SSH would be properly detected and the conn log would indicate that. Instead, there is a ? appended after the name of the port, which indicates the protocol wasn't parsed. I expected to see ProtocolViolation messages in the notice log because of the non-http protocol on port 80 (this is a feature of dyn-disable). And I expected to see ProtocolFound and ServerFound notices because of the SSH protocol on a non-standard port (according to the wiki, that code is in detect-protocols.bro). None of the three things I expected to happen happened.
My notice log is completely empty. And the conn log has the three connections I expected (albiet with the missing detected protocol). I'm running bro 1.4. Any ideas on what I'm doing wrong here?
Eric T
edthoma@sandia.gov