[Bro-Dev] Protocol Analyzer Plugin Question

Vlad Grigorescu vlad at grigorescu.org
Mon May 15 17:14:08 PDT 2017


On Mon, May 15, 2017 at 1:46 PM, Aaron Eppert <aaron at eppert.co> wrote:

> Greetings,
>
> In working on authoring a new protocol analyzer plugin I have encountered
> the following issues:
>
> 1) When adding a new type to be passed to an event handler, thus handled
> upstream by a protocol analyzer script, types.bif only supports enums. In
> order to deal with this during build time, I have added custom rule and
> custom target to augment events.bif.bro before it is installed.
>
> Am I missing something here? Is there a more streamlined approach for
> doing this?
>

Add it to init-bare.bro. e.g.: https://github.com/bro/bro/commit/
11ec4903ee0cbd3cdb555c309f67ce399b23e37b#diff-64e7fba4a98f6581a47aa0053e9f03
c6


> 2) There seems to be an oddity with including an analyzer script along
> side the plugin. I can see, via loaded_scripts.log, that everything is
> being loaded properly. However, events are not being fired from the
> analyzer script loaded from the plugins directory. If I run bro on the
> command line with an accompanying PCAP, I can see all the appropriate debug
> I have put into the plugin, but no events fire in the analyzer script. If I
> run the same command line AND add a different analyzer script that handles
> the same events, they fire and can be verified via print.
>

I'm not sure I fully understand. So, you have your analyzer, which is
generating some events. Then you have a script to handle those events and
generate some other events? And those script-generated events aren't
actually being generated?

  --Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170515/554662bb/attachment.html 


More information about the bro-dev mailing list