seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I'm wondering
why it happens as if the http analyzer is disabled then the ids can be
evaded.
Hard to say without seeing the actual packets. Can you send me the
trace of that connection?
redef restrict_filters += [ ["cpanel2"] = "not (port 7777)" ];
redef restrict_filters += [ ["cpanel3"] = "not (port 7778)" ];
[...]
redef restrict_filters += [ ["cpanel3"] = "not (port 7785)" ];
Assuming that this is not just a typo in the mail, you're using the
same index twice (cpanel3), and therefore the second entry for that
index overrides the first one, and you are going to see packets on
port 7778. If you load print-filter.bro, you see what Bro's packet
filter looks like.
Note that another way for suppressing alerts for certain
ports/servers is redefining ProtocolDetector::valids. See
detect-protocols.bro for exampleas.
BRO_CREATE_TRACE_FILE=NO
# BRO_CREATE_TRACE_FILE=NO
(Can't say much about this, but probably it's a small bug in the
shell script.)
Robin