[Bro] segmentation fault by adding an analyzer to port 80
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Apr 4 08:48:19 PDT 2013
On Apr 4, 2013, at 4:15 AM, Eric Asselin <Eric.Asselin at usherbrooke.ca>
wrote:
> When I force the anaylzer to be activated by modifying the DPM.cc, everything works well. But when I try to activate it by using a Bro script, like this:
>
> global foo_ports: set[port] = { 80/tcp } &redef;
> redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };
>
> a segmentation fault appear at the end of the script.
I don't think there's a way to attach packet-based analyzers to TCP connections like that, so manually adding it in DPM.cc via TCP_Analyzer::AddChildPacketAnalyzer() for the ports you want may be the right thing.
But if what you really wanted is a stream-based analyzer (it only sees the content after TCP reassembly), you can derive from TCP_ApplicationAnalyzer instead of Analyzer and override DeliverStream() instead of DeliverPacket(). Then the dpd_config redef you had should work.
- Jon
More information about the Bro
mailing list