[Bro] Event Engine Question

[Seth Hall]

On Jan 4, 2012, at 2:15 AM, Qinwen Hu wrote:

> I think the Event Engine is like the decode layer,

It's really best to stop trying to make comparisons to various components of Bro with components of Snort.  They are different systems and they work very differently. :)

> the user can write their own program to indicate which protocol that incoming packet has been used and which handle we should use, then pass to the Policy Script Interpreter layer, this layer will check the payload part, and using the signature matching to check either the incoming packet with the unknown behaviour or not.

Bro doesn't have much focus on packets.  It's concerned with connections and the protocols that run over those connections.  Signatures don't really have anything to do with it.

> So can I think that Event Engine use to indicate which event handle will be used, and the policy script layer will choose the particular script from the particular handle??

Think of the data flow like this:

Packets -> Bidirectional Streams -> Analyzers -> Events -> Event handlers (script land)

Packets get turned into bidirectional streams of data by the reassembler and the tcp analyzer.  The data streams are passed to one or more protocol analyzers (I'm glossing over this because a lot more is going on here) which take the data and turn it into events.  For example, when the http analyzer is attached to an http session and the request happens, the analyzer will create an http_request event and insert it into the event queue (which is a fairly simple FIFO).  When the event bubbles to the top of the queue, it will call all of the http_request handlers.  At that point whatever you write code to do with the event is your concern. 

Does that make things more clear?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/