[Bro] segmentation fault by adding an analyzer to port 80

Eric Asselin Eric.Asselin at usherbrooke.ca
Thu Apr 4 02:15:06 PDT 2013

When I force the anaylzer to be activated by modifying the DPM.cc,
everything works well. But when I try to activate it by using a Bro
script, like this:

    global foo_ports: set[port] = { 80/tcp } &redef;
    redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };

a segmentation fault appear at the end of the script.

There is the command I use to execute it (note that the browse.pcap file
came from a Bro workshop):

    bro -b -r browse.pcap my_proto.bro

Here's the complete code of the analyzer and the Bro script:

#ifndef myproto_h
#define myproto_h

#include "Analyzer.h"

class MyProto_Analyzer : public Analyzer {
    MyProto_Analyzer(Connection* conn);
    virtual ~MyProto_Analyzer();

    virtual void Init();

    static Analyzer* InstantiateAnalyzer(Connection* conn)
        { return new MyProto_Analyzer(conn); }

    static bool Available() { return true; }

    virtual void Done();

    virtual void DeliverPacket(int len, const u_char* data, bool orig,
                    int seq, const IP_Hdr* ip, int caplen);



#include "MyProto.h"

MyProto_Analyzer::MyProto_Analyzer(Connection* c)
: Analyzer(AnalyzerTag::MyProto, c)


void MyProto_Analyzer::Init()
    val_list* vl = new val_list;
    vl->append(new StringVal("A message from MyProto_Analyzer!"));
    Conn()->ConnectionEvent(MyEvent, this, vl);   

void MyProto_Analyzer::Done()

void MyProto_Analyzer::DeliverPacket(int len, const u_char* data, bool
is_orig, int seq, const IP_Hdr* ip, int caplen)
    Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);

global foo_ports: set[port] = { 80/tcp } &redef;
redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };

event bro_init()
    print ("Hello!");  

event MyEvent(c: connection, msg: string)
    print msg;

event MyEvent%(c: connection, msg: string%);


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130404/5154de30/attachment.html 

More information about the Bro mailing list