[Bro] invoking the "protocol_confirmation" event
Johanna Amann
johanna at icir.org
Fri Jul 10 14:35:49 PDT 2015
On Fri, Jul 10, 2015 at 09:08:40PM +0000, Earl Eiland wrote:
> I'm working on cataloging service-level protocols seen on a network.
> event.bif.bro lists "protocol_confirmation: event(c: connection , atype:
> Analyzer::Tag , aid: count)", which seems to be just the ticket.
> However, it is not invoked by some of the protocol analyzers of interest
> (e.g., MODBUS/TCP). It is invoked by DNS, but I don't see it in
> /scripts/base/protocols/dns/main.bro<https://www.bro.org/sphinx/_downloads/main25.bro>.
> How do I modify the other protocol analyzer scripts to invoke
> protocol_confirmation?
You do not see the event being raised in scriptland, because it is
generated by Bro when the C++ or binpac code (in
src/analyzers/protocols/*) calls ProtocolConfirmation(); or
bro_analyzer()->ProtocolConfirmation(); to confirm that it is parsing the
correct protocol, after it parses enough data to be sure about it.
That function call wass missing from the modbus analyzer; it has been
added to bro master a few days ago and should be raised there now too.
TCP/UDP do not raise it currently -- I think the justification for this is
that in the case of TCP and UDP Bro does not really detect the protocol,
but it is given directly in the IP information (i.e. -- if the IP header
says that it is TCP, Bro just believes it).
Johanna
More information about the Bro
mailing list