[Bro-Dev] Protocol Analyzer Plugin Question

Aaron Eppert aaron at eppert.co
Mon May 15 13:46:42 PDT 2017


In working on authoring a new protocol analyzer plugin I have encountered
the following issues:

1) When adding a new type to be passed to an event handler, thus handled
upstream by a protocol analyzer script, types.bif only supports enums. In
order to deal with this during build time, I have added custom rule and
custom target to augment events.bif.bro before it is installed.

Am I missing something here? Is there a more streamlined approach for doing

2) There seems to be an oddity with including an analyzer script along side
the plugin. I can see, via loaded_scripts.log, that everything is being
loaded properly. However, events are not being fired from the analyzer
script loaded from the plugins directory. If I run bro on the command line
with an accompanying PCAP, I can see all the appropriate debug I have put
into the plugin, but no events fire in the analyzer script. If I run the
same command line AND add a different analyzer script that handles the same
events, they fire and can be verified via print.

Most of the examples that exist aren't trying to do anything along these
lines and, while I have the rest of the protocol defined well via BinPac,
the last mile of making use of that work has been a bit uphill.

Any insight into the two oddities above would be greatly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170515/ce079abb/attachment.html 

More information about the bro-dev mailing list