HTTP Question

Hello,

            Can BRO alarm on non-http traffic over port 80?

Diogo Corteletti de Oliveira a écrit :

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
  
Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.

Diogo Corteletti de Oliveira a écrit :

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
  
Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.

Diogo Corteletti de Oliveira a écrit :

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

!DSPAM:1,47349958153933285824817!
  

Hello Diogo,
I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe

Diogo Corteletti de Oliveira a écrit :

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

!DSPAM:1,47349958153933285824817!
  

Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.

Yeah! You are right there's also "detect-protocols-http.bro"

Jean-Philippe Luiggi escreveu:

Diogo Corteletti de Oliveira a écrit :

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

!DSPAM:1,47349958153933285824817!
  

Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.

On Fri, Nov 09, 2007 at 01:54:19PM -0500, Jean-Philippe Luiggi composed:

Diogo Corteletti de Oliveira a écrit :
> Hello,
>
> Can BRO alarm on non-http traffic over port 80?
> _______________________________________________
> Bro mailing list
> bro@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.

Note also to make this more reliable, you should set dpd_buffer_size
to a significantly longer size, otherwise larger POST requests may not
be recognized.

EG,

redef dpd_buffer_size = 4096;
or
redef dpd_buffer_size = 10000;

Nicholas Weaver a écrit :

On Fri, Nov 09, 2007 at 01:54:19PM -0500, Jean-Philippe Luiggi composed:
  

Diogo Corteletti de Oliveira a écrit :
    

Hello,

            Can BRO alarm on non-http traffic over port 80?
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
  

Hello Diogo,

I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe.
    
Note also to make this more reliable, you should set dpd_buffer_size
to a significantly longer size, otherwise larger POST requests may not
be recognized.

EG,

redef dpd_buffer_size = 4096; or
redef dpd_buffer_size = 10000;

Hello,

Thank you for pointing out this information, i missed it (much more, i didn't think about this problem).

Best regards,

Jean-philippe.

Diogo Corteletti de Oliveira a écrit :

Yeah! You are right there's also "detect-protocols-http.bro"

Hello Diogo,
I think so if you use DPD (dynamic protocol detection).
Please note there's already a file "detect-protocols.bro" which
is able to find connections with protocols on non-standard ports.

Best regards,

Jean-philippe

Hello Diego,

Yes, that's right, this one loads "detect-protocols.bro"
In fact, i think specifying the use of "dpd" in "brolite.bro" will give all the things you want :

from brolite.bro :

Hello Guys,

                        One more question. After enabling the DPD and filtering it to only consider events on port 80 I am getting a lot of alarms for Google connections like the one bellow:

t=1194889271.174088 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS sa=x.x.x.x sp=4421/tcp da=209.85.165.189 dp=80/tcp msg=x.x.x.x/4421\ >\ 209.85.165.189/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\ violation sub=not\ a\ http\ reply\ line tag=@877

                         I am assuming that this is an alert that could inform that someone is using a different protocol (not-http) on port 80. My objective (as stated in a previous e-mail) is to detect such a thing. The strange thing is that I tried to do this before with SourceFire's RNA and it alerted with google connections also. Could this mean that Google does not follow the HTTP RFC? Any suggestions?

Tks

Could this mean that
Google does not follow the HTTP RFC? Any suggestions?

As usual with puzzles like this, the next step is to capture a trace that
reproduces the problem, and, if possible, send it to us or the list.

    Vern

Vern,

             I've noticed that the alarms are been triggered with a normal conection to gmail. Do you need the entire trace ? From the Handshake to the FIN?

Vern Paxson escreveu:

             I've noticed that the alarms are been triggered with a
normal conection to gmail. Do you need the entire trace ? From the
Handshake to the FIN?

In general, yes, otherwise Bro isn't going to process it when run
off-line.

    Vern