[Bro] segmentation fault by adding an analyzer to port 80

Eric Asselin Eric.Asselin at usherbrooke.ca
Fri Apr 5 14:05:07 PDT 2013

I try the same code but with the use of a signature to trigger my
analyzer which worked, but again at the end I have the same
"segmentation fault". If I derive the analyzer with
TCP_ApplicationAnalyzer instead of just Analyzer and still use
DeliverPacket(), the "seg fault" disappear.

But in fact, I don't care about TCP connection stream, I just want the
analyzer to be triggered regardless of the transport layer... and
process the packet.

Le 13-04-04 17:48, Siwek, Jonathan Luke a écrit :
> On Apr 4, 2013, at 4:15 AM, Eric Asselin <Eric.Asselin at usherbrooke.ca>
>  wrote:
>> When I force the anaylzer to be activated by modifying the DPM.cc, everything works well. But when I try to activate it by using a Bro script, like this: 
>>     global foo_ports: set[port] = { 80/tcp } &redef;
>>     redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };
>> a segmentation fault appear at the end of the script.
> I don't think there's a way to attach packet-based analyzers to TCP connections like that, so manually adding it in DPM.cc via TCP_Analyzer::AddChildPacketAnalyzer() for the ports you want may be the right thing.
> But if what you really wanted is a stream-based analyzer (it only sees the content after TCP reassembly), you can derive from TCP_ApplicationAnalyzer instead of Analyzer and override DeliverStream() instead of DeliverPacket().  Then the dpd_config redef you had should work.
> - Jon

More information about the Bro mailing list