Gentle people,
I have enabled dpd in brolite.bro with
const use_dpd = T;
At the same time I also comment out this line because I want to look into port 80 traffics.
redef restrict_filters += [ [“not-http”] = “not (port 80)” ];
I get a lot of this
…
t=1166923564.867909 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS sa=1.2.3.5 sp=46616/tcp da=1.2.3.4
dp=80/tcp msg=[1.2.3.5/46616](http://1.2.3.5/46616) >\ [1.2.3.4/http](http://1.2.3.4/http) analyzer\ HTTP\ disabled\ due\ to\ protocol\ violatio
n sub=not\ a\ http\ request\ line tag=@5618
…
In the wiki, it says that Bro can disable an analyzer on the fly if that finds that it cannot parse a connection’s payload—which most probably means the protocol detection went wrong. I’m curious about the protocol violation part. From what I have studied if I enable dpd, it should examine the traffics via dpd.sig before determine which protocol is used. Since I have pcap logging, I try to examine the traffic manually with tcpdump and it seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I’m wondering why it happens as if the http analyzer is disabled then the ids can be evaded.
Another strange behaviour is the
redef restrict_filters += [ [“not-http”] = “not (port 80)” ];
I have few ports running http traffic, so I need to avoid the report of http traffics running on port other than 80. For example I have two ports such as ports 7777 and 7778 running some http kind of daemon, so to do it I just add this in the dpd section of brolite.bro
redef restrict_filters += [ [“cpanel2”] = “not (port 7777)” ];
redef restrict_filters += [ [“cpanel3”] = “not (port 7778)” ];
So it works as expect but when I add another port for example port 7785 below above two lines,
redef restrict_filters += [ [“cpanel3”] = “not (port 7785)” ];
Suddenly it doesn’t work and report http traffics running on those ports. So I’m curious if anyone have this similar issue. I have tried to define multiple ports with not(port 7777 and port 7778) for example but it doesn’t work, I read the wiki and it says that restrict_filters introduces “and” so that’s why I have to specify multiple restrict_filters instead.
One interesting issue also that happens to me is that I have tried to enable the full trace in bro.cfg,
BRO_CREATE_TRACE_FILE=YES
It logs the pcap correctly, so I try to disable it with
BRO_CREATE_TRACE_FILE=NO
Then restart bro-ids with bro.rc checkpoint, however it is still logging, thus I have to comment out the line
BRO_CREATE_TRACE_FILE=NO
Restarting bro-ids again and this time the full pcap logging no longer works. That’s all, I know sooner this will be replaced by time machine for full content logging but just would like to know if this is my problem or anyone have this.
Thanks and cheers.