[Bro-Dev] Packet Signature, Protocol, and Analyzer Relationship
Justin Oursler
justin.oursler at gmail.com
Wed Feb 8 12:26:54 PST 2017
Hello,
I am writing a new analyzer and plugin for a TCP Application protocol. Can
someone help explain the relationship among the protocol, the analyzer, and
the dynamic signature files? The reason I ask is I have a payload regex in
dpd.sig that will match on packets and log. Then, if I start adding to and
changing my-proto-protocol.pac (while keeping the arguments the same that
gets passed to the event), Bro's debug will say it matches on the dpd.sig
for my protocol, but it will not produce a log for my protocol. So, I
think I'm missing a fundamental process of Bro processing a packet. Why
does changing my-proto-protocol.pac affect what gets logged?
Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170208/cea8bc12/attachment.html
More information about the bro-dev
mailing list