Hi all,
With Bro 2.2 and/or 2.3 what is the best way to tell Bro that I want a DPD
signature to be matched on any connection regardless of port?
I know I can use Analyzer::register_for_ports at bro_init to enable a set of
ports to analyze with an analyzer, but I have a case where I cannot predict
a priori the destination port in use by the protocol. It does not seem like
I can pass wildcards to register_for_port(s). If I have a DPD signature for
the protocol (e.g., for HTTP) what is the easiest way to tell Bro to use the
signature on any connection regardless of port? Can this be done on the
scripting layer? If not, any pointers to where do I need to modify the code
to hook say the HTTP analyzer for every connection? (I am not concerned
about efficiency as I am running Bro on pcaps)
BTW, I searched the mailing list for a reply but all hits I found for Bro
2.2 and 2.3 referred to Analyzer::register_for_ports
Thanks,
Juan
It sounds like you want to write a signature [1] with a particular “payload” content condition and an “enable” action to active a particular protocol analyzer.
- Jon
[1] http://www.bro.org/sphinx/frameworks/signatures.html
Hi Jon,
Thanks for your answer
It sounds like you want to write a signature [1] with a particular
"payload" content condition
In my case I simply want to use protocols such as HTTP for which Bro already
has a DPD signature, so no need to create a new one
and an "enable" action to active a particular protocol analyzer.
This is the step I do not know how to do. The only "enable" function I see
is "Analyzer::enable_analyzer(Analyzer::ANALYZER_HTTP)"
However when I use that function it does not seem to enable the DPD
signature for all ports, i.e., an HTTP connection on port 7623/tcp does not
get analyzed unless I use Analyzer::register_for_ports to add port 7623/tcp
Any suggestions for this step?
Thanks,
Juan
There’s two main ways to tell a protocol analyzer what connections it needs to parse:
(1) well-known ports (i.e. "Analyzer::register_for_ports()”)
(2) signatures (i.e. the documentation I linked to before)
Those two are unrelated — the ports given to "Analyzer::register_for_ports()” will cause the analyzer to be activated on connections that use those ports regardless of whether any signatures match. And conversely, signature matches that enable an analyzer won’t be restricted by what well-known ports are registered.
The two are also specified in different grammars: you’re already familiar with the scripting language that can be used for registering well-known ports. There’s a different signature language that’s described by that documentation I linked, and you can also see some examples by looking at “dpd.sig" files shipped in Bro. The “enable” action I referred to before is part of the signature language, not the scripting language.
For the particular example you’re giving, it may be worthwhile to figure out why the default HTTP signature (base/protocols/http/dpd.sig) is not matching and maybe write one that will (if you’re desperate, do a signature to match every connection).
- Jon