[Bro] Bro Scripting Question

Seth Hall seth at icir.org
Wed Jul 2 11:36:06 PDT 2014

On Jul 2, 2014, at 1:59 PM, Jason Batchelor <jxbatchelor at gmail.com> wrote:

> One additional question however, if someone is interested in writing a new analyzer, what would be a good place to start?

You could watch Vlad Grigorescu's presentation at last year's Bro Exchange about how to write a protocol analyzer:

> For example, what if someone wanted to write an analyzer that examined the MZ header of an executable for certain characteristics? What would be a good starting point for them? I've started reviewing the following...

Writing file analyzers is a tiny bit different than writing protocol analyzers but generally the same model holds in both cases.  We actually have a draft of a windows executable analyzer that Vlad recently made some changes to and can be found in the git repository under topic/vladg/file-analysis-exe-analyzer if you're curious about what that would look like.  It's still incomplete and doesn't do everything we'd like it to.

Unfortunately it's still not something that you will be doing in a Bro script however (in case that's what you were asking).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140702/23bd033c/attachment.bin 

More information about the Bro mailing list