reliable off-line protocol detection

Manuel_Crotti · August 23, 2005, 10:47am

Ciao,
I’m trying to make protocol detection on non-standart ports.

I set-up a apaci server on 777 and a mail server (postfix) on 778.
I captured packets with tcpdump.
I parsed dumps with a “bro -C -r protocolName.dump backdoor”

those are the “backdoor.log” results:

http.dump

1124720330.438091 10.20.188.212/32770 > 10.20.10.34/777 http-sig
1124720338.627503 10.20.188.212/32773 > 10.20.10.34/777 http-sig
1124720425.113738 10.20.188.212/32784 > 10.20.10.34/777 http-sig

smtp.dump

1124785239.632272 127.0.0.1/56034 > 127.0.0.1/778 ftp-sig
1124785306.080354 127.0.0.1/56037 > 127.0.0.1/778 ftp-sig
1124785591.602025 127.0.0.1/56048 > 127.0.0.1/778 ftp-sig
1124785606.143460 127.0.0.1/56050 > 127.0.0.1/778 ftp-sig

Best regards,
Manuel.

Topic		Replies	Views
reliable off-line protocol detection Zeek	1	87	May 6, 2022
protocol recognition Zeek	1	86	May 6, 2022
Protocol Analyzer Zeek	3	57	May 6, 2022
Bro behind a TLS reverse proxy Zeek	1	79	May 6, 2022
Scan UDP Zeek	4	72	May 6, 2022

reliable off-line protocol detection

Related Topics