I am investigating bro as a DPI solution to identify popular web applications (something like nDPI). I can identify that conn.log is analogous to netflow.
In the official documentation, it has been said that
In addition to the logs, Bro comes with built-in functionality for a range of analysis and detection tasks,... identifying popular web applicatios...
So I was looking at bro source code and examples, but I could not find any default log which identifies popular web application flows.
I ultimately want, conn.log or similar log to contain "a popular web application service" under service tag.
It would be great if someone points me to the built in script to identify popular webapps and concerned logs.
Thanks in advance!
This comment in the docs refers to these policies/sigs, Sachin:
https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/detect-webapps.zeek https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/detect-webapps.sig
These are fairly dated (except for the recent Zeek renaming and compatibility updates).