[Bro] Listening on both UDP/TCP

Johanna Amann johanna at icir.org
Tue Nov 6 17:11:10 PST 2018


> I see many of the existing protocols focus on either TCP or UDP, but
> nothing for both.  I did notice that SIP has both TCP and UDP, however, the
> TCP portion is "not activated" (
> https://github.com/bro/bro/tree/master/src/analyzer/protocol/sip).  Is
> there a good example of how to handle both?  Is this something where I
> would need register listener in main.bro? For example:


the closest to this is probably the TLS/DTLS analyzer. Similarly to SIP,
it actually is 2 analyzers (one for TLS over TCP and one for DTLS over
UDP) that share a lot of the code.

scripts/base/protocols/ssl/main.bro shows that both of them are just
initialized separately from each other. From a very cursory glance over
SIP, I think that one could just do the same there.

I hope this helps,

More information about the Bro mailing list