After Seth has explained the difference between Event Engine in Bro and
pre-processor in Snort, I am still quite confuse about the Event Engine
I think the Event Engine is like the decode layer, the user can write their
own program to indicate which protocol that incoming packet has been used
and which handle we should use, then pass to the Policy Script Interpreter
layer, this layer will check the payload part, and using the signature
matching to check either the incoming packet with the unknown behaviour or
So can I think that Event Engine use to indicate which event handle will be
used, and the policy script layer will choose the particular script from
the particular handle??
Thanks for your help.