4 Jan
2012
4 Jan
'12
2:53 p.m.
On Jan 4, 2012, at 2:15 AM, Qinwen Hu wrote:
I think the Event Engine is like the decode layer,
It's really best to stop trying to make comparisons to various components of Bro with
components of Snort. They are different systems and they work very differently. :)
the user can write their own program to indicate which
protocol that incoming packet has been used and which handle we should use, then pass to
the Policy Script Interpreter layer, this layer will check the payload part, and using the
signature matching to check either the incoming packet with the unknown behaviour or not.
Bro doesn't have much focus on packets. It's concerned with connections and the
protocols that run over those connections. Signatures don't really have anything to
do with it.
So can I think that Event Engine use to indicate which
event handle will be used, and the policy script layer will choose the particular script
from the particular handle??
Think of the data flow like this:
Packets -> Bidirectional Streams -> Analyzers -> Events -> Event handlers
(script land)
Packets get turned into bidirectional streams of data by the reassembler and the tcp
analyzer. The data streams are passed to one or more protocol analyzers (I'm
glossing over this because a lot more is going on here) which take the data and turn it
into events. For example, when the http analyzer is attached to an http session and the
request happens, the analyzer will create an http_request event and insert it into the
event queue (which is a fairly simple FIFO). When the event bubbles to the top of the
queue, it will call all of the http_request handlers. At that point whatever you write
code to do with the event is your concern.
Does that make things more clear?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/