webapp detection

Zeek
1

Hi All,

Am trying to use the webapp detection script to detect webapps like facebook etc

I saw previous threads it was mentioned to enable "Make sure to set your Sites::local_net variable If you set it to
0.0.0.0/0

I have included 0.0.0.0/0 in networks.cfg,

I have also included in local.bro
@load protocols/http/detect-webapps

redef Software::asset_tracking = ALL_HOSTS;

still I couldnt see any webapps traffic mentioning facebook i could see only multicast address like 224.0.0.251

Any solution ,much appreciated

Thanks,

Raj
IT Consultant
Mobile: +45 81923531

Lyskær 9 Inline images 1

2730 Herlev, Denmark

Web: http://www.capmon.dk

2

Hi,

you are probably intermingling two things here. Detect-webapps uses
signatures to find software like phpmyadmin; it is not used to find things
like Facebook traffic.

The second one is the software framework, which tracks software versions.
If you load the right scripts it, e.g., logs Windows versions as
determined from some http headers. This also is not used for facebook,
etc.

There was a script to perform logging of information of applications like
facebook (policy/misc/app-stats). This was removed in Bro 2.5, because it
was not maintained enough and not useful in its current state.

I hope that helps,
Johanna