[Bro] Adding Events to Bro
vern at icir.org
Wed Sep 22 10:23:13 PDT 2010
> Am I incorrect with the process of adding a new event?
> 1. Add the event in event.bif. (Ex. event test_something...)
> 2. Add the event in the intended location to be called by Bro as it
> parses the file. (Ex. Add Event(test_something, vl); to some file).
> 3. recompile and test.
In general, yes, that's the procedure. Note that test_something will be
nil if you run using a script that doesn't include a handler for it.
(But Connection::Event checks for this, so that shouldn't cause a crash.)
A common problem is observing that the event doesn't get generated
(as opposed to a crash). That often comes about because you're running
with the default pcap filter, or in any case with a filter that doesn't
include the traffic you're analyzing. So you might need to run with e.g.
"-f tcp" to capture all TCP packets.
More information about the Bro