[Bro-Dev] Protocol Analyzer Plugin Question

Vlad Grigorescu vlad at grigorescu.org
Mon May 15 17:14:08 PDT 2017

On Mon, May 15, 2017 at 1:46 PM, Aaron Eppert <aaron at eppert.co> wrote:

> Greetings,
> In working on authoring a new protocol analyzer plugin I have encountered
> the following issues:
> 1) When adding a new type to be passed to an event handler, thus handled
> upstream by a protocol analyzer script, types.bif only supports enums. In
> order to deal with this during build time, I have added custom rule and
> custom target to augment events.bif.bro before it is installed.
> Am I missing something here? Is there a more streamlined approach for
> doing this?

Add it to init-bare.bro. e.g.: https://github.com/bro/bro/commit/

> 2) There seems to be an oddity with including an analyzer script along
> side the plugin. I can see, via loaded_scripts.log, that everything is
> being loaded properly. However, events are not being fired from the
> analyzer script loaded from the plugins directory. If I run bro on the
> command line with an accompanying PCAP, I can see all the appropriate debug
> I have put into the plugin, but no events fire in the analyzer script. If I
> run the same command line AND add a different analyzer script that handles
> the same events, they fire and can be verified via print.

I'm not sure I fully understand. So, you have your analyzer, which is
generating some events. Then you have a script to handle those events and
generate some other events? And those script-generated events aren't
actually being generated?

