[Bro-Dev] Packet Signature, Protocol, and Analyzer Relationship
justin.oursler at gmail.com
Wed Feb 8 12:26:54 PST 2017
I am writing a new analyzer and plugin for a TCP Application protocol. Can
someone help explain the relationship among the protocol, the analyzer, and
the dynamic signature files? The reason I ask is I have a payload regex in
dpd.sig that will match on packets and log. Then, if I start adding to and
changing my-proto-protocol.pac (while keeping the arguments the same that
gets passed to the event), Bro's debug will say it matches on the dpd.sig
for my protocol, but it will not produce a log for my protocol. So, I
think I'm missing a fundamental process of Bro processing a packet. Why
does changing my-proto-protocol.pac affect what gets logged?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev