I am looking for the list of services that bro/zeek identifies in conn.log. But I am unable to find out exactly how many services Bro identifies. Where can I get the correct script le, source code or documentation where I can get the list of services that Bro detects?
E.g. this documentation section just mentions that
application-layer services ( - the service field is filled in as Bro determines a specific protocol to be in use, independent of the connection’s ports),
But where are these services defined?
The answer to this question is a bit complex, because it depends on the set of protocol analyzers present on your system and how they are configured (i.e., how/whether Zeek may select them for individual connections).
That said, this list defines the set of supported analyzers. There may be more if you install additional ones on your system via the package manager.
The nitty-gritty details are spelled out in the original paper.