Adding Events to Bro

To the Bro-IDS team,

My name is James Swaro and I am a graduate student at Ohio University. I am performing research on the retransmission timeout mechanism of TCP and I am using Bro to do this. Bro provides a very good base for my research and I would like to modify the system as needed to create the events and policy files necessary. The documentation that is available on your wiki is extensive and has been very helpful to understanding the general structure of the system.

Mark Allman and Katrina were generous to share the RTT branch that they were working on. I need to add events to the systems to generate specific information when congestion control states have possibly been triggered. I've attempted to create an event in the source code by editing event.bif and TCP.cc, but it does not seem to recognize the event and crashes. Either that, or I've misunderstood the way that the data from the event is created.

Am I incorrect with the process of adding a new event?
1. Add the event in event.bif. (Ex. event test_something...)
2. Add the event in the intended location to be called by Bro as it parses the file. (Ex. Add Event(test_something, vl); to some file).
3. recompile and test.

I am still learning the framework and I appreciate any help. Thank you for your time.

Sincerely,

James Swaro

Am I incorrect with the process of adding a new event?
1. Add the event in event.bif. (Ex. event test_something...)
2. Add the event in the intended location to be called by Bro as it
parses the file. (Ex. Add Event(test_something, vl); to some file).
3. recompile and test.

In general, yes, that's the procedure. Note that test_something will be
nil if you run using a script that doesn't include a handler for it.
(But Connection::Event checks for this, so that shouldn't cause a crash.)

A common problem is observing that the event doesn't get generated
(as opposed to a crash). That often comes about because you're running
with the default pcap filter, or in any case with a filter that doesn't
include the traffic you're analyzing. So you might need to run with e.g.
"-f tcp" to capture all TCP packets.

    Vern