Help with Bro source code


I am trying to understand the bro events engine for HTTP.
I see that the code has two places where http is handled:

  1. build/src/protocol/http (files like , and
  2. src/protocol/http (files like HTTP.CC)

I am guessing the first one is the event engine and the second one is for handling the incoming HTTP packets. is that correct?

Does anyone know of a runtime analysis tool which would be helpful in this case?
How do we generally go about to understand bro’s code base, i am just a beginner at this.
Would really appreciate all the help.


Thanks Anthony.

I now have a basic understanding having gone through anthony kasza’s blog.

Can someone please help me with any kind of material/slides for understanding bro source code?
Any other help/source would really help me a lot!


I am not sure if you already found it - we have on our webpage for a few

Apart from that, I don't think there is much that exists.