'Re: [Zeek] Which services are identified in conn.log by bro?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Zeek] Which services are identified in conn.log by bro?
From:       anthony kasza <anthony.kasza () gmail ! com>
Date:       2019-05-28 15:14:18
Message-ID: CAEZw2byoFinhaYRtfY5O-qH7s00OOykPMTsrNNrULyMq0YDrdA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

You can find how this field gets set by grepping through Zeek's source.

```
$ grep -R '\$service' ./scripts | grep 'add'
./scripts/base/frameworks/dpd/main.bro: add c$service[analyzer];
./scripts/base/frameworks/dpd/main.bro: add c$service[fmt("-%s", analyzer)];
./scripts/base/protocols/ftp/main.bro: add c$service["ftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp-data"];
./scripts/base/protocols/ftp/gridftp.bro: add c$service["gridftp"];
./scripts/base/protocols/irc/dcc-send.bro: add c$service["irc-dcc-data"];
```

Most services are identified via the Dynamic Protocol Detection (DPD)
framework.
https://www.zeek.org/development/howtos/dpd.html
Looking at `scripts/base/frameworks/dpd/main.bro`, you can see that
the service field is set within the protocol_confirmation() scriptland
event which is generated by protocol analyzers in C++land. The
ProtocolConfirmation() function from `src/analyzer/Analyzer.cc` is how
the scriptland event is called.

Grepping for that function in the source shows 29 different protocol
analyzers.

```
$ grep -R 'ProtocolConfirmation' ./src/* | cut -f1 -d':' | grep
'protocol' | cut -d'/' -f5 | sort -u
ayiya
bittorrent
dce-rpc
dhcp
dnp3
dns
ftp
gssapi
gtpv1
http
imap
irc
krb
modbus
mysql
ntlm
pop3
radius
rdp
rfb
sip
smb
smtp
snmp
socks
ssh
ssl
teredo
xmpp
```

It seems that there are, in total, 33 possible connection service values.

-AK

On Mon, May 27, 2019, 23:10 Sachinji Giri <sachin.giribuva@niyuj.com> wrote:

> Hi all,
>
> I am looking for the list of services that bro/zeek identifies in
> conn.log. But I am unable to find out exactly how many services bro
> identifies. Can someone please point out to me the correct script le or
> source code or documentation where I can get the list of services that bro
> detects?
>
> Documentation says :
>
>> application-layer services ( - the service field is filled in as Bro
>> determines a specific protocol to be in use, independent of the
>> connection's ports)
>>
>
>
>
> But where are these services defined? How many are identified in the
> conn.log?
>
> Thanks in advance!
>
> Regards,
>
> Sachin Giri
> _______________________________________________
> Zeek mailing list
> zeek@zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

[Attachment #5 (text/html)]

<div dir="auto"><div><div dir="auto">You can find how this field gets set by grepping \
through Zeek&#39;s source.</div><div dir="auto"><br></div><div \
dir="auto">```</div><div dir="auto">$ grep -R &#39;\$service&#39; ./scripts | grep \
&#39;add&#39;</div><div dir="auto">./scripts/base/frameworks/dpd/main.bro: add \
c$service[analyzer];</div><div dir="auto">./scripts/base/frameworks/dpd/main.bro: add \
c$service[fmt(&quot;-%s&quot;, analyzer)];</div><div \
dir="auto">./scripts/base/protocols/ftp/main.bro: add \
c$service[&quot;ftp-data&quot;];</div><div \
dir="auto">./scripts/base/protocols/ftp/gridftp.bro: add \
c$service[&quot;gridftp-data&quot;];</div><div \
dir="auto">./scripts/base/protocols/ftp/gridftp.bro: add \
c$service[&quot;gridftp&quot;];</div><div \
dir="auto">./scripts/base/protocols/irc/dcc-send.bro: add \
c$service[&quot;irc-dcc-data&quot;];</div><div dir="auto">```</div><div \
dir="auto"><br></div><div dir="auto">Most services are identified via the Dynamic \
Protocol Detection (DPD) framework.</div><div dir="auto"><a \
href="https://www.zeek.org/development/howtos/dpd.html">https://www.zeek.org/development/howtos/dpd.html</a></div><div \
dir="auto">Looking at `scripts/base/frameworks/dpd/main.bro`, you can see \
that</div><div dir="auto">the service field is set within the protocol_confirmation() \
scriptland</div><div dir="auto">event which is generated by protocol analyzers in \
C++land. The</div><div dir="auto">ProtocolConfirmation() function from \
`src/analyzer/Analyzer.cc` is how</div><div dir="auto">the scriptland event is \
called.</div><div dir="auto"><br></div><div dir="auto">Grepping for that function in \
the source shows 29 different protocol analyzers.</div><div dir="auto"><br></div><div \
dir="auto">```</div><div dir="auto">$ grep -R &#39;ProtocolConfirmation&#39; ./src/* \
| cut -f1 -d&#39;:&#39; | grep</div><div dir="auto">&#39;protocol&#39; | cut \
-d&#39;/&#39; -f5 | sort -u</div><div dir="auto">ayiya</div><div \
dir="auto">bittorrent</div><div dir="auto">dce-rpc</div><div \
dir="auto">dhcp</div><div dir="auto">dnp3</div><div dir="auto">dns</div><div \
dir="auto">ftp</div><div dir="auto">gssapi</div><div dir="auto">gtpv1</div><div \
dir="auto">http</div><div dir="auto">imap</div><div dir="auto">irc</div><div \
dir="auto">krb</div><div dir="auto">modbus</div><div dir="auto">mysql</div><div \
dir="auto">ntlm</div><div dir="auto">pop3</div><div dir="auto">radius</div><div \
dir="auto">rdp</div><div dir="auto">rfb</div><div dir="auto">sip</div><div \
dir="auto">smb</div><div dir="auto">smtp</div><div dir="auto">snmp</div><div \
dir="auto">socks</div><div dir="auto">ssh</div><div dir="auto">ssl</div><div \
dir="auto">teredo</div><div dir="auto">xmpp</div><div dir="auto">```</div><div \
dir="auto"><br></div><div dir="auto">It seems that there are, in total, 33 possible \
connection service values.</div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">-AK</div><br><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Mon, May 27, 2019, 23:10 Sachinji Giri &lt;<a \
href="mailto:sachin.giribuva@niyuj.com">sachin.giribuva@niyuj.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi \
all,<div><div class="m_3036603091446554411gmail-m_1004743201594665019gmail-post-text" \
style="margin:0px 0px \
5px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.3;font-family:Arial,&quot;Helvetica \
Neue&quot;,Helvetica,sans-serif;font-size:15px;vertical-align:baseline;box-sizing:inherit;width:492.8px;color:rgb(36,39,41)"><p \
style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">I \
am looking for the list of services that bro/zeek identifies in conn.log. But I am \
unable to find out exactly how many services bro identifies. Can someone please point \
out to me the correct script le or source code or documentation where I can get the \
list of services that bro detects?</p><p style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">Documentation \
says :  </p><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">application-layer \
services ( - the service field is filled in as Bro determines a specific protocol to \
be in use, independent of the connection's \
ports)<br></blockquote><div><br></div><div>  </div><p style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">But \
where are these services defined? How many are identified in the conn.log?</p><p \
style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">Thanks \
in advance!</p><p style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">Regards,</p><p \
style="margin:0px 0px \
1em;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit;clear:both">Sachin \
Giri</p></div></div></div></div> _______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank" rel="noreferrer">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer \
noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div></div></div>

_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

[prev in list] [next in list] [prev in thread] [next in thread] 