reliable off-line protocol detection

Manuel_Crotti · August 23, 2005, 10:47am

Ciao,
I’m trying to make protocol detection on non-standart ports.

I set-up a apaci server on 777 and a mail server (postfix) on 778.
I captured packets with tcpdump.
I parsed dumps with a “bro -C -r protocolName.dump backdoor”

those are the “backdoor.log” results:

http.dump

1124720330.438091 10.20.188.212/32770 > 10.20.10.34/777 http-sig
1124720338.627503 10.20.188.212/32773 > 10.20.10.34/777 http-sig
1124720425.113738 10.20.188.212/32784 > 10.20.10.34/777 http-sig

smtp.dump

1124785239.632272 127.0.0.1/56034 > 127.0.0.1/778 ftp-sig
1124785306.080354 127.0.0.1/56037 > 127.0.0.1/778 ftp-sig
1124785591.602025 127.0.0.1/56048 > 127.0.0.1/778 ftp-sig
1124785606.143460 127.0.0.1/56050 > 127.0.0.1/778 ftp-sig

Best regards,
Manuel.

Topic		Replies	Views
reliable off-line protocol detection Zeek	1	109	May 6, 2022
protocol recognition Zeek	1	118	May 6, 2022
Protocol Detection/Decoding Zeek	2	74	May 6, 2022
protocol recognition Zeek	1	114	May 6, 2022
DPD and similar analysis Zeek	3	72	May 6, 2022

reliable off-line protocol detection

Related topics