On Feb 8, 2017, at 3:26 PM, Justin Oursler
I am writing a new analyzer and plugin for a TCP Application protocol. Can someone help
explain the relationship among the protocol, the analyzer, and the dynamic signature
Bro either attaches an analyzer to a connection based on the likely port (like 80 for
http) or via a signature (/GET.../) so it can find the protocol on non-standard ports.
The analyzer can then confirm that it is seeing the protocol it expects to or not.
The reason I ask is I have a payload regex in dpd.sig
that will match on packets and log.
Which log are you talking about? the dpd.log? or my-protocol.log?
Then, if I start adding to and changing
my-proto-protocol.pac (while keeping the arguments the same that gets passed to the
event), Bro's debug will say it matches on the dpd.sig for my protocol, but it will
not produce a log for my protocol. So, I think I'm missing a fundamental process of
Bro processing a packet. Why does changing my-proto-protocol.pac affect what gets logged?
Without more information, the most likely explanation is that the change you are making to
the .pac file is breaking the analyzer and causing events to no longer be generated and
nothing to be logged.
- Justin Azoff