[Bro-Dev] Help creating new analyzer
Seth Hall
seth at icir.org
Fri Apr 15 16:57:19 PDT 2011
On Apr 15, 2011, at 6:18 PM, Kristin Stephens wrote:
> Just for the sake of my own understanding. The changes you made above
> say the exact same thing I had originally except they don't use the
> &length attribute.
Sort of. When you go to use the marker value you will be receiving an array of 8bit ints instead of a bytestring value, but you can just write you code around that (assuming you are even using the marker value). The main thing is that I set a length on the whole record.
> And normally it would work except there is a bug
> with bytestring and setting its &length property?
The bug is only prevalent in certain cases because binpac has to know the full size of the unit before it hits a dynamically sized field (if I understand it correctly) but for some reason even if you set a static size for a bytestring it thinks that's a dynamically sized field still which is why I changed it to a 16-long uint8 array.
Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list