[Bro] Re: how to add new event to Bro
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Fri Apr 8 14:14:38 PDT 2005
Hi Christian,
Thank you for your suggestion. I will try this way and put my
results on this
mailing list.
Bing
>
> it all depends on what kinds of events trigger updates to your
> statistical parameters, and whether those elementary events already
> exist or not. Generally a good way to find existing events is by looking
> at src/event.bif, which lists all events the core can trigger. If you
> find suitable building blocks in there, you can start with a new policy
> script that maintains state through the event handlers for event types
> you're interested in. If you cannot find anything suitable (which, at
> least for network-based events, is rather unlikely), you might have to
> extend the core to support new events to be handled by your policy
> scripts.
>
> In your case, the event types connection_attempt() and
> connection_rejected() sound ideal. In their respective handlers, you can
> maintain connection state in a number of tables to achieve what you
> want. When you notice that the rate limits you defined are exceeded, you
> can trigger an event "manually" using the event() statement, or just
> perform the corresponding action directly in the state-maintaining code.
>
> Have a look at scan.bro for an example of something that is similar what
> you want; also check out this thread in the archives:
>
> http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html
>
> Hope this helps.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
>
>
> --__--__--
>
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest
>
More information about the Bro
mailing list