> On Feb 8, 2017, at 3:26 PM, Justin Oursler <justin.ours...@gmail.com> wrote: > > Hello, > > I am writing a new analyzer and plugin for a TCP Application protocol. Can > someone help explain the relationship among the protocol, the analyzer, and > the dynamic signature files?
Bro either attaches an analyzer to a connection based on the likely port (like 80 for http) or via a signature (/GET.../) so it can find the protocol on non-standard ports. The analyzer can then confirm that it is seeing the protocol it expects to or not. > The reason I ask is I have a payload regex in dpd.sig that will match on > packets and log. Which log are you talking about? the dpd.log? or my-protocol.log? > Then, if I start adding to and changing my-proto-protocol.pac (while keeping > the arguments the same that gets passed to the event), Bro's debug will say > it matches on the dpd.sig for my protocol, but it will not produce a log for > my protocol. So, I think I'm missing a fundamental process of Bro processing > a packet. Why does changing my-proto-protocol.pac affect what gets logged? Without more information, the most likely explanation is that the change you are making to the .pac file is breaking the analyzer and causing events to no longer be generated and nothing to be logged. -- - Justin Azoff _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
