[Bro] LDAP Analyzer

Vern Paxson vern at icir.org
Tue Oct 5 01:24:37 PDT 2004


An LDAP analyzer would be great to have.

> Obviously, I'm new to BRO.  I looked through the documentation and was 
> not able to find anything on extending BRO's collection of analyzers.  

Unfortunately, there isn't documentation for this yet.  The way to go
about it, though, is to identify an analyzer Bro already supports for
a protocol that's similar to the one you want to do, and use the
corresponding classes (in say HTTP.{h,cc} or DNS.{h,cc}, for example)
as templates.

> I'm especially interested on how to define event_handlers for custom 
> policy scripts that leverage the LDAP analyzer.

See the file event.bif, which serves as the glue between the C++ of the
event engine and the .bro policy script files.

		Vern



More information about the Bro mailing list