Another (I think) simple question: how do I resolve the “count” constant to its appropriate ANALYZER_* name string? I think I need to do something with dpd_config, but can’t seem to find the right information.
I can see (through observation) that 34 is ANALYZER_SSL, 9 is ANALYZER_DNS and 13 is ANALYZER_HTTP, but I can’t find those associations anywhere in the code.
What I want to do is have a script that validates the protocol of a flow for a web application I’m using. So I’m getting that data out of Bro with a Python script using this snippet in site/local.bro:
global protocol_confirmation_custom: event(cid: conn_id, atype: count);
event protocol_confirmation(c: connection, atype: count, aid: count) {
event protocol_confirmation_custom(c$id, atype);
}
My script then gets data like:
protocol_confirmation {‘orig_p’: ‘34850/tcp’, ‘orig_h’: ‘x.x.x.x’, ‘resp_p’: ‘80/tcp’, ‘resp_h’: ‘x.x.x.x’} 13
Instead of that “13” at the end, I want “ANALYZE_HTTP”. But obviously, I don’t want to just make that association manually - I’m sure there must be a way to get the analyzer name programmatically, I just can’t seem to find it.
Thanks for your help!
Justin