[Bro] Help with bro

anthony kasza anthony.kasza at gmail.com
Wed Nov 23 22:32:54 PST 2016 

Again, I'm adding the bro list for others edification.

HTTP.cc is part of "the core". It parses connection streams passed to it,
from the analyzer tree, and raises events defined in events.bif. Such
events include those around http headers, http requests, http responses,
etc. Then, the script "layer" is called based on those events. Such events
have handler code in scripts that do things such as logging. I hope this
helps.

-AK

On Nov 23, 2016 9:30 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:

> Hi Anthony,
>
> I included this question with the bro mailing list also, by any chance if
> you know the answers please let me know. Would be great help. I am stuck on
> this since a couple of days.
> I dont quite understand what you mean by raising an event and defining an
> event.
>
> As i understand the incoming packets are picked by bro and then some sort
> of stream(Delivered Stream) is formed (not sure here if you could please
> elaborate this)and then go through the process of anaylzer tree which then
> figures out based on the signature that a particular packet is HTTP or
> not(lets say). Then an HTTP event is generated and if the corresponding
> event handler is defined then the event is put in events queue.
> When the event reaches head of line in the queue then it is processed and
> the event handler feeds corresponding data structures which will be used by
> scripts as well, and the script is notified by the event handler of the
> event having occurred.
>
> so with respect to HTTP what function does HTTP.cc perform here, and what
> does events.bif.cc perform?
> Present in bro/build/src/analyzer/protocol/http
>
> It would be great if you can give some idea here.
>
> I am trying to put some debug logs in each of the functions in
> events.bif.cc and HTTP.cc (the debug logs are just opening a file and
> printing in that file). But all i can see printed is bro_init. Any idea as
> to why?
>
> Thanks and regards,
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161123/3c3b8b41/attachment.html

More information about the Bro mailing list