[Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0

Seth Hall seth at icir.org
Thu Dec 15 17:11:41 PST 2011


On Dec 15, 2011, at 5:54 PM, Hui Lin (Hugo) wrote:

> There is something that is coming to my mind which is not related to my work. Is that possible to have some simple state management in binpac too? Like make it possible for us to define global variable as parsing goes on. 

Yes, you can do it but it's a bit of a mess since you have to use the c/c++ integration techniques (there are examples of this in many of the existing binpac analyzers like in ssl-protocol.pac).  Binpac++ supports this much better since it's a turing complete programming language in itself.

The rule of thumb I've tried to stick to is only store things in the analyzer that are needed to continue parsing the protocol and pass everything else to script land through events.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list