[Bro] Activating a scanner within a scanner?

Robin Sommer robin at icir.org
Tue May 15 18:37:27 PDT 2007

On Fri, May 11, 2007 at 16:10 +0200, you wrote:

> SIP may contain SDP, whereas SDP is mainly used in SIP. SDP could be
> used for the description of other sessions, 
> The only information about SDP in SIP is the Content-Length field,

Ok, so then I would go for a seperate analyzer. 

> SIP is UDP-based. Would this work for DeliverPacket, as well?

Yes. The "packet" is actually just a chunk of data, with the actual
interpretation being left to the analyzer.

> I tried looking at the HTTP analyzer, because this protocol uses a
> newline to show when the header is finished, but to no avail.

If I understand you correctly, you should be able to do this in the
same way as the HTTP analyer does it. I thinkt this is the relevant
type from http-protocol.pac:

     type HTTP_Headers = HTTP_Header[] &until($input.length() == 0);

Does something similar work for you?     

Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list