[Bro] Understanding the event generation and handling
sstattla at gmail.com
Wed Oct 6 11:37:58 PDT 2010
I've been looking at the Bro documentation and source code recently. I
need to get into lower-level details and looking at Source code is not
Specifically, I need to get to the logic of-
1. Event generation: How does Bro know which all events to raise by
looking at a particular packet? I have a basic understanding of the
class hierarchy, but I don't know where to look for the code that
decides which specific Application layer analyzer object to create by
looking at the Application Layer header/signature of the incoming packet.
2. Event handling: It seems that an event's information is stored in an
object and all events are queued in an Event Manager as they are
created. After every packet is processed, this queue of events is
drained (thus following a single-threaded model) and the events are sent
to a Serializer. I found the serialization code hard to understand so I
don't know the logic of how an event-handler (interpreter?) decides
which event belongs to it. I'd really like to know the mechanism in here.
Can someone please suggest which debugger to use and how, so that I can
step-by-step understand the event-engine?
More information about the Bro