[Bro] Signature framework questions, endianess and bitwise operations
jsiwek at illinois.edu
Thu Jul 24 13:00:15 PDT 2014
On Jul 24, 2014, at 10:50 AM, James Feister <openjaf at gmail.com> wrote:
> As an alternative I wanted to look at every stream (tcp) and packet (udp) then do the match in my analyzer code. But site documentation only references DPM.cc to perform this hooking which I can only find in the 2.1 code base not 2.2 or 2.3. Which of the analyzers in the 2.3 release could I use as a reference?
analyzer::Manager::BuildInitialAnalyzerTree() is what that the documentation should say for newer versions. Another way maybe you can do what you want without changing source code directly is to make a payload regex that matches everything and enables the analyzer you are writing.
More information about the Bro