[Bro] Signature framework questions, endianess and bitwise operations

Siwek, Jon jsiwek at illinois.edu
Thu Jul 24 13:00:15 PDT 2014


On Jul 24, 2014, at 10:50 AM, James Feister <openjaf at gmail.com> wrote:

> As an alternative I wanted to look at every stream (tcp) and packet (udp) then do the match in my analyzer code.  But site documentation only references DPM.cc to perform this hooking which I can only find in the 2.1 code base not 2.2 or 2.3.  Which of the analyzers in the 2.3 release could I use as a reference?

analyzer::Manager::BuildInitialAnalyzerTree() is what that the documentation should say for newer versions.  Another way maybe you can do what you want without changing source code directly is to make a payload regex that matches everything and enables the analyzer you are writing.

- Jon



More information about the Bro mailing list