Problems adding http ports to bro (git version)

HI all,

I have installed Bro from git to try new features (release 2.1-1052).
I need to detect http conns in non standard ports like 80. To
accomplish this I have created the following policy:

# New DPD configuration.
const ports = {
        80/tcp, 81/tcp, 82/tcp, 631/tcp, 1080/tcp, 1090/tcp, 3128/tcp,
3200/tcp, 3210/tcp, 3300/tcp, 3310/tcp, 3333/tcp, 3600/tcp, 3610/tcp,
        8000/tcp, 8080/tcp, 8100/tcp, 8888/tcp, 50000/tcp, 50001/tcp,
50002/tcp, 50003/tcp, 50004/tcp, 50005/tcp, 50006/tcp, 50007/tcp,
50008/tcp,
        50009/tcp, 50010/tcp, 51000/tcp, 51001/tcp, 51002/tcp,
51003/tcp, 51004/tcp, 51005/tcp, 51006/tcp, 51007/tcp, 51008/tcp,
51009/tcp, 51010/tcp,
};

redef dpd_config += {
        [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
};

redef capture_filters += {
        ["http"] = "tcp and port (80 or 81 or 82 or 631 or 1080 or
1090 or 3128 or 3200 or 3210 or 3300 or 3310 or 3333 or 3600 or 3610
or 8000 or 8080 or 8100 or 8888 or 50000 or 50001 or 50002 or 50003
or 50004 or 50005 or 50006 or 50007 or 50008 or 50009 or 50010 or
51001 or 51002 or 51003 or 51004 or 51005 or 51006 or 51007 or 51008
or 51009 or 51010)"
};

redef likely_server_ports += { 82/tcp };
redef likely_server_ports += { 1090/tcp };
redef likely_server_ports += { 3200/tcp };
redef likely_server_ports += { 3210/tcp };
redef likely_server_ports += { 3300/tcp };
redef likely_server_ports += { 3310/tcp };
redef likely_server_ports += { 3333/tcp };
redef likely_server_ports += { 3600/tcp };
redef likely_server_ports += { 3610/tcp };
redef likely_server_ports += { 8100/tcp };
redef likely_server_ports += { 50001/tcp };
redef likely_server_ports += { 50002/tcp };
redef likely_server_ports += { 50003/tcp };
redef likely_server_ports += { 50004/tcp };
redef likely_server_ports += { 50005/tcp };
redef likely_server_ports += { 50006/tcp };
redef likely_server_ports += { 50007/tcp };
redef likely_server_ports += { 50008/tcp };
redef likely_server_ports += { 50009/tcp };
redef likely_server_ports += { 50010/tcp };
redef likely_server_ports += { 51000/tcp };
redef likely_server_ports += { 51001/tcp };
redef likely_server_ports += { 51002/tcp };
redef likely_server_ports += { 51003/tcp };
redef likely_server_ports += { 51004/tcp };
redef likely_server_ports += { 51005/tcp };
redef likely_server_ports += { 51006/tcp };
redef likely_server_ports += { 51007/tcp };
redef likely_server_ports += { 51008/tcp };
redef likely_server_ports += { 51009/tcp };
redef likely_server_ports += { 51010/tcp };

But it doesn't works. Error is:

bro failed.
   error in /opt/bro/share/bro/site/more-http-ports.bro, line 13:
unknown identifier ANALYZER_HTTP, at or near "ANALYZER_HTTP"

Same policy works for release 2.1.

Any idea??

Thanks.

Do you get a different result if you remove the trailing comma from "
51010/tcp,};" in the ports constant?

Nop, same result.

Let's back up a bit. Bro uses signatures to detect protocols on non-standard ports, and it should also be able to identify the server and the client.

Out of the box, Bro should be able to automatically detect HTTP on all ports for you. If that's not working, that means that there's a problem with either how you're running Bro, or that there's a bug in Bro.

How are you running Bro? What does the conn.log line look like for an HTTP connection on a non-standard port that Bro failed to detect? Do you have a PCAP of such traffic that you could share (anonymized is fine)?

Having said all that, to answer your original question: The way you specify these ports for DPD changed in 2.2. If you take a look at base/protocols/http/main.bro:

126 const ports = {
127 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
128 8000/tcp, 8080/tcp, 8888/tcp,
129 };
130 redef likely_server_ports += { ports };
131
132 # Initialize the HTTP logging stream and ports.
133 event bro_init() &priority=5
134 {
135 Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
136 Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
137 }

   --Vlad

Uhmm ... well, I don't know if bro can detect http requests on
non-standard ports. I have not yet been able to start it :)).

I will try it and if these http ports are not detected and I will open
a new thread ....

Many thanks Vlad.