Hi all,
I am looking for the list of services that bro/zeek identifies in conn.log. But I am unable to find out exactly how many services bro identifies. Can someone please point out to me the correct script le or source code or documentation where I can get the list of services that bro detects?
Documentation says :
application-layer services ( - the service field is filled in as Bro determines a specific protocol to be in use, independent of the connection’s ports)
But where are these services defined? How many are identified in the conn.log?
Thanks in advance!
Regards,
Sachin Giri
You can find how this field gets set by grepping through Zeek’s source.
$ grep -R '\$service' ./scripts | grep 'add'
./scripts/base/frameworks/dpd/main.bro: add c$service[analyzer];
./scripts/base/frameworks/dpd/main.bro: add c$service[fmt("-%s", analyzer)];
./scripts/base/protocols/ftp/main.bro: add c$service["ftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp"];
./scripts/base/protocols/irc/dcc-send.bro: add c$service["irc-dcc-data"];
Most services are identified via the Dynamic Protocol Detection (DPD) framework.
https://www.zeek.org/development/howtos/dpd.html
Looking at scripts/base/frameworks/dpd/main.bro, you can see that
the service field is set within the protocol_confirmation() scriptland
event which is generated by protocol analyzers in C++land. The
ProtocolConfirmation() function from src/analyzer/Analyzer.cc is how
the scriptland event is called.
Grepping for that function in the source shows 29 different protocol analyzers.
$ grep -R 'ProtocolConfirmation' ./src/* | cut -f1 -d':' | grep
'protocol' | cut -d'/' -f5 | sort -u
ayiya
bittorrent
dce-rpc
dhcp
dnp3
dns
ftp
gssapi
gtpv1
http
imap
irc
krb
modbus
mysql
ntlm
pop3
radius
rdp
rfb
sip
smb
smtp
snmp
socks
ssh
ssl
teredo
xmpp
It seems that there are, in total, 33 possible connection service values.
-AK