[Bro] exercising binpac++/spicy parsers
Johanna Amann
johanna at icir.org
Fri Mar 13 07:39:19 PDT 2015
Hello Troy,
> There are some hilti-based parsers in the Bro docker image. When I run
> the pcaps for BACnet (/opt/hilti/bro/tests/Traces/bacnet/*.pcap) through
> Bro (eg bro -r NPDU.pcap) , no event logs are produced in
> /usr/local/bro/logs).
You have to load the applicable scripts and pac files for Bro to be able
to parse these protocols. Which files you have to load depends a bit on
the protocol. The easiest way is to look at the tests that should be there
for each of the protocols that is to look into the tests directory in
hilti/bro/tests. In there, pac2/bacnet/npdu_nlmessages.bro shows that to
parse the NPDUs, it loads bacnet.evt and bacnet.bro out of the hilti
distribution and then defines a few custom events for output.
Generally, none of the spicy parsers come with the Bro scripts to generate
log output -- the parsers just create events. For some of the parsers
replacing protocols (like DNS or HTTP), the events might be similar enough
to the events emitted by the binpac parsers to already generate logs. For
all new protocols implemented by spicy, you would first have to create
such scripts.
I hope that helps,
Johanna
More information about the Bro
mailing list