[Bro] packet post-processor plugin
asharma at lbl.gov
Tue May 19 13:58:55 PDT 2015
Why do you want to do this ? what is that your packet port-processor going to do that you think bro isn't doing for you?
> Maybe there's some obvious way to do this that I've overlooked?
Yes, use scripting layer for your analysis. If you think a particular protocol parsing is deficient, instead of writing a packet post-processor, might as well write your new protocol parser.
On Tue, May 19, 2015 at 04:22:14PM -0400, Jeff Barber wrote:
> Still a bro newbie, so I'm looking for some guidance.
> I'd like to add a packet post-processor to bro. It'll be written in C++.
> Essentially I'd like to see every packet that goes through bro, along with
> its Connection record (or the equivalent) if there is one. Ideally it would
> be structured it as a plugin.
> It looks like I could do it by triggering off of events like new_packet
> (although currently that only triggers for IP packets). However, IIUC, that
> still has bro packaging all the info up into a RecordVal, then I have to
> decode it in my plugin event handler. That seems like quite a bit of
> additional overhead on each packet.
> It looks like I might also be able to do it as a PktDumper but then I just
> get the raw packet data and I'd have to go re-parse headers and re-lookup
> connection info - redoing work that's already been done.
> What I'd really like is to simply get a call at the end of analysis for
> every packet, where I'd get passed a pointer to the packet data along with a
> pointer to the existing Connection record (if any). Maybe there's some
> obvious way to do this that I've overlooked?
> Anybody have advice for the best way to go? I'm willing to do work to make
> this happen, but also would prefer not to fork bro so looking for "right
> Bro mailing list
> bro at bro-ids.org
Aashish Sharma (asharma at lbl.gov)
Lawrence Berkeley National Laboratory
Office: (510)-495-2680 Cell: (510)-612-7971
More information about the Bro