[Bro] exercising binpac++/spicy parsers

Troy Jordan troyj at maine.edu
Sun Nov 8 13:12:24 PST 2015

(reviving this old thread)

Is the method for generating log output the same with spicy parsers as
it is for binpac parsers? Would the code to do so reside in .bro file?

- Troy

On 3/13/2015 10:39 AM, Johanna Amann wrote:
> Hello Troy,
>> There are some hilti-based parsers in the Bro docker image. When I run
>> the pcaps for BACnet (/opt/hilti/bro/tests/Traces/bacnet/*.pcap) through
>> Bro (eg bro -r NPDU.pcap) , no event logs are produced in
>> /usr/local/bro/logs).
> You have to load the applicable scripts and pac files for Bro to be able
> to parse these protocols. Which files you have to load depends a bit on
> the protocol. The easiest way is to look at the tests that should be there
> for each of the protocols that is to look into the tests directory in
> hilti/bro/tests. In there, pac2/bacnet/npdu_nlmessages.bro shows that to
> parse the NPDUs, it loads bacnet.evt and bacnet.bro out of the hilti
> distribution and then defines a few custom events for output.
> Generally, none of the spicy parsers come with the Bro scripts to generate
> log output -- the parsers just create events. For some of the parsers
> replacing protocols (like DNS or HTTP), the events might be similar enough
> to the events emitted by the binpac parsers to already generate logs. For
> all new protocols implemented by spicy, you would first have to create
> such scripts.
> I hope that helps,
>  Johanna


                     	  Troy Jordan
                   t r o y j @ m a i n e . e d u
                Network Systems Security Analyst
             Information Technology Security Office
                    University of Maine System
233 Science Building           |     voice: 207.561.3590
Portland, ME 04103             |     fax:   509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
 William Shakespeare, Macbeth

More information about the Bro mailing list