On Jul 13, 2010, at 10:39 PM, Ben Rosenberg wrote:
I have started poking around some of the scripts and
trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything
is working well.
I have created a few patches to fix small problems I
had or add features that I was looking for.
- Patched main.cc to add the -N command line flag.
- Removed duplicate login_non_failure_msgs from policy/login.bro.
- Commented out example in policy/scan.bro.
- Edited policy/ssh.bro to print what port is being used for ssh servers.
- Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports.
- Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree
It would be best to submit these as patch tickets into the tracker at:
I'll coordinate with you off-list for getting a tracker account set up. We removed
the ability for people to create their own accounts due to abuse.
I also started to convert the 6000+ Nmap service
probe signatures into dpd signatures.
Unfortunately, without a corresponding analyzer the most you can do is log what protocol
was possibly seen on the connection. I've thought of doing the same thing before and
it's pretty easy at least. The only reason I stopped was that there weren't too
many worthwhile protocols, but I was looking at the regex's from the l7-filters
project. Maybe the nmap signatures are better?
I have a set of scripts you may be interested in checking out at:
Let me know if you have any questions.