[Bro] Event Engine Question
Qinwen Hu
qhu009 at aucklanduni.ac.nz
Tue Jan 3 23:15:21 PST 2012
Hi All:
After Seth has explained the difference between Event Engine in Bro and
pre-processor in Snort, I am still quite confuse about the Event Engine
layer.
I think the Event Engine is like the decode layer, the user can write their
own program to indicate which protocol that incoming packet has been used
and which handle we should use, then pass to the Policy Script Interpreter
layer, this layer will check the payload part, and using the signature
matching to check either the incoming packet with the unknown behaviour or
not.
So can I think that Event Engine use to indicate which event handle will be
used, and the policy script layer will choose the particular script from
the particular handle??
Thanks for your help.
Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120104/fe2631b3/attachment.html
More information about the Bro
mailing list