[Bro] Adding Events to Bro
james.swaro at gmail.com
Wed Sep 22 10:13:53 PDT 2010
To the Bro-IDS team,
My name is James Swaro and I am a graduate student at Ohio University. I
am performing research on the retransmission timeout mechanism of TCP
and I am using Bro to do this. Bro provides a very good base for my
research and I would like to modify the system as needed to create the
events and policy files necessary. The documentation that is available
on your wiki is extensive and has been very helpful to understanding the
general structure of the system.
Mark Allman and Katrina were generous to share the RTT branch that they
were working on. I need to add events to the systems to generate
specific information when congestion control states have possibly been
triggered. I've attempted to create an event in the source code by
editing event.bif and TCP.cc, but it does not seem to recognize the
event and crashes. Either that, or I've misunderstood the way that the
data from the event is created.
Am I incorrect with the process of adding a new event?
1. Add the event in event.bif. (Ex. event test_something...)
2. Add the event in the intended location to be called by Bro as it
parses the file. (Ex. Add Event(test_something, vl); to some file).
3. recompile and test.
I am still learning the framework and I appreciate any help. Thank you
for your time.
More information about the Bro