Hi All:

After Seth has explained the difference between Event Engine in Bro and pre-processor in Snort, I am still quite confuse about the Event Engine layer.

I think the Event Engine is like the decode layer, the user can write their own program to indicate which protocol that incoming packet has been used and which handle we should use, then pass to the Policy Script Interpreter layer, this layer will check the payload part, and using the signature matching to check either the incoming packet with the unknown behaviour or not. 

So can I think that Event Engine use to indicate which event handle will be used, and the policy script layer will choose the particular script from the particular handle??

Thanks for your help.

Steven