[Bro-Dev] Packet Signature, Protocol, and Analyzer Relationship

Justin Oursler justin.oursler at gmail.com
Wed Feb 8 12:26:54 PST 2017


I am writing a new analyzer and plugin for a TCP Application protocol.  Can
someone help explain the relationship among the protocol, the analyzer, and
the dynamic signature files?  The reason I ask is I have a payload regex in
dpd.sig that will match on packets and log.  Then, if I start adding to and
changing my-proto-protocol.pac (while keeping the arguments the same that
gets passed to the event), Bro's debug will say it matches on the dpd.sig
for my protocol, but it will not produce a log for my protocol.  So, I
think I'm missing a fundamental process of Bro processing a packet.  Why
does changing my-proto-protocol.pac affect what gets logged?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170208/cea8bc12/attachment.html 

More information about the bro-dev mailing list