[Bro] ANALYZER_* resolution
Justin Thomas
justin at justinthomas.name
Fri Dec 7 17:35:14 PST 2012
Another (I think) simple question: how do I resolve the "count" constant to
its appropriate ANALYZER_* name string? I think I need to do something with
dpd_config, but can't seem to find the right information.
I can see (through observation) that 34 is ANALYZER_SSL, 9 is ANALYZER_DNS
and 13 is ANALYZER_HTTP, but I can't find those associations anywhere in
the code.
What I want to do is have a script that validates the protocol of a flow
for a web application I'm using. So I'm getting that data out of Bro with a
Python script using this snippet in site/local.bro:
global protocol_confirmation_custom: event(cid: conn_id, atype: count);
event protocol_confirmation(c: connection, atype: count, aid: count) {
event protocol_confirmation_custom(c$id, atype);
}
My script then gets data like:
protocol_confirmation {'orig_p': '34850/tcp', 'orig_h': 'x.x.x.x',
'resp_p': '80/tcp', 'resp_h': 'x.x.x.x'} 13
Instead of that "13" at the end, I want "ANALYZE_HTTP". But obviously, I
don't want to just make that association manually - I'm sure there must be
a way to get the analyzer name programmatically, I just can't seem to find
it.
Thanks for your help!
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121207/63cc511e/attachment.html
More information about the Bro
mailing list