[Bro] invoking an analayzer without the default policy script?
Christian Kreibich
christian at whoop.org
Wed Dec 5 12:17:18 PST 2007
On Wed, 2007-12-05 at 10:36 -0800, Mike Wood wrote:
> I did have success by adding the following:
>
> global dns_ports = { 53/udp, 53/tcp, 137/udp };
> redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
>
> (also from dns.bro), and that triggered my event handler for dns_request.
> Note this seemed to work with and without redefining the capture filters.
>
> Any ideas why this is the case?
Afaik, this is exactly the way to enable a DPD-enabled analyzer.
http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection#Using_the_new_analyzer_framework
Likely, your capture filter is already set up to capture the relevant
packets anyway, so needs no special tweaking. (One of the best tips ever
regarding this stuff is to test the resulting filter by adding
"print-filter" at the end of your list of policy files specified at the
command line.)
> Particularly, am I only going to be
> able implement my custom event handlers for analyzers that are part of
> the DPD framework?
No, you can generally expect to use your own event handlers for the
other analyzers as well, unless these were somehow designed to require
substantial policy code.
Cheers,
Christian
--
________________________________________________________________________
http://www.icir.org/christian
http://www.whoop.org
More information about the Bro
mailing list