[Bro] Understanding the event generation and handling
vern at icir.org
Wed Oct 6 17:00:08 PDT 2010
> Specifically, I need to get to the logic of-
> 1. Event generation: How does Bro know which all events to raise by
> looking at a particular packet?
There is a tree of analyzers that's traversed (perhaps taking multiple
branches at any given point).
> I have a basic understanding of the
> class hierarchy, but I don't know where to look for the code that
> decides which specific Application layer analyzer object to create by
> looking at the Application Layer header/signature of the incoming packet.
The architecture here is described in the paper:
If you are looking for specific details regarding names of classes/methods,
etc., then you'll probably have to wait until Robin comes back from vacation
in a couple of weeks.
> 2. Event handling: It seems that an event's information is stored in an
> object and all events are queued in an Event Manager as they are
> After every packet is processed, this queue of events is
> drained (thus following a single-threaded model) and the events are sent
> to a Serializer. I found the serialization code hard to understand so I
Ignore the serializer. It's there for things like communication between
multiple Bro processes.
> Can someone please suggest which debugger to use and how, so that I can
> step-by-step understand the event-engine?
Well, I use gdb, and if I must, I start with invocations of
If you want to sketch your particular goal, that might help with giving
you more focussed advice.
More information about the Bro