[Bro] Understanding the event generation and handling

Sunjeet Singh sstattla at gmail.com
Wed Oct 6 11:37:58 PDT 2010


I've been looking at the Bro documentation and source code recently. I 
need to get into lower-level details and looking at Source code is not 
helping me.

Specifically, I need to get to the logic of-
1. Event generation: How does Bro know which all events to raise by 
looking at a particular packet? I have a basic understanding of the 
class hierarchy, but I don't know where to look for the code that 
decides which specific Application layer analyzer object to create by 
looking at the Application Layer header/signature of the incoming packet.

2. Event handling: It seems that an event's information is stored in an 
object and all events are queued in an Event Manager as they are 
created. After every packet is processed, this queue of events is 
drained (thus following a single-threaded model) and the events are sent 
to a Serializer. I found the serialization code hard to understand so I 
don't know the logic of how an event-handler (interpreter?) decides 
which event belongs to it. I'd really like to know the mechanism in here.

Can someone please suggest which debugger to use and how, so that I can 
step-by-step understand the event-engine?

Thank you,
Sunjeet Singh

More information about the Bro mailing list