[Bro] packet post-processor plugin

Aashish Sharma asharma at lbl.gov
Tue May 19 13:58:55 PDT 2015

Why do you want to do this ? what is that your packet port-processor going to do that you think bro isn't doing for you? 

>    Maybe there's some obvious way to do this that I've overlooked?

Yes, use scripting layer for your analysis. If you think a particular protocol parsing is deficient, instead of writing a packet post-processor, might as well write your new protocol parser. 

On Tue, May 19, 2015 at 04:22:14PM -0400, Jeff Barber wrote:
>    Still a bro newbie, so I'm looking for some guidance.
>    I'd like to add a packet post-processor to bro. It'll be written in C++.
>    Essentially I'd like to see every packet that goes through bro, along with
>    its Connection record (or the equivalent) if there is one. Ideally it would
>    be structured it as a plugin.
>    It looks like I could do it by triggering off of events like new_packet
>    (although currently that only triggers for IP packets). However, IIUC, that
>    still has bro packaging all the info up into a RecordVal, then I have to
>    decode  it  in my plugin event handler. That seems like quite a bit of
>    additional overhead on each packet.
>    It looks like I might also be able to do it as a PktDumper but then I just
>    get the raw packet data and I'd have to go re-parse headers and re-lookup
>    connection info - redoing work that's already been done.
>    What I'd really like is to simply get a call at the end of analysis for
>    every packet, where I'd get passed a pointer to the packet data along with a
>    pointer to the existing Connection record (if any). Maybe there's some
>    obvious way to do this that I've overlooked?
>    Anybody have advice for the best way to go? I'm willing to do work to make
>    this happen, but also would prefer not to fork bro so looking for "right
>    ways".
>    TIA,
>    Jeff

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, 
Lawrence Berkeley National Laboratory  
Office: (510)-495-2680  Cell: (510)-612-7971

More information about the Bro mailing list