Hello,
There are some hilti-based parsers in the Bro docker image. When I run
the pcaps for BACnet (/opt/hilti/bro/tests/Traces/bacnet/*.pcap) through
Bro (eg bro -r NPDU.pcap) , no event logs are produced in
/usr/local/bro/logs).
How do I integrate these parsers into Bro?
- Troy
Hello Troy,
There are some hilti-based parsers in the Bro docker image. When I run
the pcaps for BACnet (/opt/hilti/bro/tests/Traces/bacnet/*.pcap) through
Bro (eg bro -r NPDU.pcap) , no event logs are produced in
/usr/local/bro/logs).
You have to load the applicable scripts and pac files for Bro to be able
to parse these protocols. Which files you have to load depends a bit on
the protocol. The easiest way is to look at the tests that should be there
for each of the protocols that is to look into the tests directory in
hilti/bro/tests. In there, pac2/bacnet/npdu_nlmessages.bro shows that to
parse the NPDUs, it loads bacnet.evt and bacnet.bro out of the hilti
distribution and then defines a few custom events for output.
Generally, none of the spicy parsers come with the Bro scripts to generate
log output -- the parsers just create events. For some of the parsers
replacing protocols (like DNS or HTTP), the events might be similar enough
to the events emitted by the binpac parsers to already generate logs. For
all new protocols implemented by spicy, you would first have to create
such scripts.
I hope that helps,
Johanna
Johanna, that does help, thank you.
Was BACnet used simply as a test for spicy, or perhaps are there plans
to develop it further?
- Troy
(reviving this old thread)
Is the method for generating log output the same with spicy parsers as
it is for binpac parsers? Would the code to do so reside in .bro file?
- Troy