Hey Robin, thanks for you answer. I will look through this files and see if I can use this kind of reassembling.
> If with "payload" you mean the raw bytes, you would pass that as a > string into the event. But it's hard to do much with raw data that in > script-land. The common way would be instead creating one event per > type of payload and then raising the corresponding event as you parse > packets and find out what's in there. No, I don't just want to put the whole data as a string into the event. Well, seems like I have to define a lot of different events and/or bro types (I don't know how many data types there are in total). Thanks alot. Dane Am 04.05.2018 um 03:16 schrieb Robin Sommer: > > On Wed, May 02, 2018 at 22:22 +0200, you wrote: > >> 1) Reassembling packets: Some S7CommPlus packets which payload is over a >> certain amount of bytes will be split and need to be reassembled. > As a couple quick pointers, the DNP3 and DTLS analyzers face a similar > task, you might find some ideas there. > >> If I want to generate a Bro events which contains the payload as a >> parameter, how do I do that? > If with "payload" you mean the raw bytes, you would pass that as a > string into the event. But it's hard to do much with raw data that in > script-land. The common way would be instead creating one event per > type of payload and then raising the corresponding event as you parse > packets and find out what's in there. > > Robin > _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
