Hi,
I seem to have lost the mojo for getting any services to show up in the
connection records' service set. I have:
@load conn
redef dpd_conn_logs = T;
However, the service set remains empty in new_connection and
connection_finished events. I guess that makes sense for the former
event, but not the latter, so what else do I need?
(Basically, I'd like to have a reliable way to generate content in
c$service for the broconn Broccoli test case.)
Cheers,
Christian
"services" is set at a few locations whenever some script believes
it has recognized a service. Most importantly that's DPD's protocol
detection[1] but also, e.g., ftp-data and portmapper connections.
The crucial point is that you need to have some analyzer running
which takes the decision. Assuming dpd_conn_logs=T, I get for
example service={HTTP} for HTTP sessions once I load http-request.
Robin
[1] Also applies to standard ports, i.e., even without running the
DPD signatures.
Thanks! Mhmm ... I don't quite see this. When I use
@load conn
@load http-request
redef dpd_conn_logs = T;
then I no longer seem to get connection_finished events(!), despite
seeing the teardown on the wire. I do however see
connection_state_remove, but without anything in c$service. When I use
@load conn
@load dpd
redef dpd_conn_logs = T;
all is well: I get both connection_finished and connection_state_remove,
and both carry HTTP in c$service (since in that case the capture filter
ends up being "tcp or udp or icmp").
Cheers,
Christian
@load conn
[...]
then I no longer seem to get connection_finished events(!), despite
Does loading tcp.bro instead of conn.bro help?
@load conn
@load dpd
redef dpd_conn_logs = T;all is well: I get both connection_finished and connection_state_remove,
and both carry HTTP in c$service (since in that case the capture filter
ends up being "tcp or udp or icmp").
My last reply actually simplified things a bit, sorry. For services
added via the DPD mechanism (i.e., verifying the presence of the
protocol by having the analyzer parse it), this is what is needed:
- the (core) analyzer needs to see the packets. That's the case with
Bro's fall-back default "tcp or udp or icmp" but not anymore once
you load any script which modifies the default (e.g., tcp.bro). If
so, you either need to set the filter manually or load the
corresponding analyzer script which then makes sure the packets are
included. That's actually why I refered to http-request.bro
- you need to load conn.bro (which almost always gets pulled in by
some other script anyway). conn.bro has the handler for the
protocol_confirmation() event, which adds the entry to the service
field once an analyzer believes it's indeed its protocol.
For other services (i.e., non-DPD) the corresponding script sets the
services. E.g., ftp.bro adds an entry "ftp-data" to services for
data sessions.
Robin