[Bro] invoking an analayzer without the default policy script?

Christian Kreibich christian at whoop.org
Wed Dec 5 12:17:18 PST 2007


On Wed, 2007-12-05 at 10:36 -0800, Mike Wood wrote:
> I did have success by adding the following:
> 
> global dns_ports = { 53/udp, 53/tcp, 137/udp };
> redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
> 
> (also from dns.bro), and that triggered my event handler for dns_request.
> Note this seemed to work with and without redefining the capture filters.
> 
> Any ideas why this is the case?

Afaik, this is exactly the way to enable a DPD-enabled analyzer.
http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection#Using_the_new_analyzer_framework

Likely, your capture filter is already set up to capture the relevant
packets anyway, so needs no special tweaking. (One of the best tips ever
regarding this stuff is to test the resulting filter by adding
"print-filter" at the end of your list of policy files specified at the
command line.)

> Particularly, am I only going to be
> able implement my custom event handlers for analyzers that are part of
> the DPD framework?

No, you can generally expect to use your own event handlers for the
other analyzers as well, unless these were somehow designed to require
substantial policy code.

Cheers,
Christian
-- 
________________________________________________________________________
                                           http://www.icir.org/christian
                                                    http://www.whoop.org




More information about the Bro mailing list