1) I am trying to correlate traffic in the two
directions of a
connection. I am currently using the "DataSent" method of
class to do some processing when data is sent by an endpoint of a
For this type of analysis it might be better to write a Bro script
instead of adding code directly to the engine.
TCP_Endpoint::DataSent() corresponds to the event:
event tcp_packet%(c: connection, is_orig: bool, flags: string, seq:
count, ack: count, len: count, payload: string%);
Or if you want reassembled contents:
event tcp_contents%(c: connection, is_orig: bool, seq: count,
2) I need to maintain the different endpoints in some
ArrayList/HashMap. I observed that there are already some list/queue
implementations in Bro. Where can I find documentation about using
data structures regarding available methods / method parameters, etc.
You may use "table" and "set" in the Bro language. Please see scripts
under bro/policy/ for examples.