Hui Lin_Enable Protocol Analyzer in Bro bare mode

Hi,

I am using Bro bare mode to test my own policy script.

I also like to use a Syslog analyzer to analyze syslog_message event. I define syslog_message event in my own script, but this event handler is not executed under bare mode? I am wondering what scripts should be loaded to enable Syslog analyzer.

Best,

It's enabled by default. Can you show the code you are using that isn't working?

  .Seth

Actually it is quite simple. This is my syslog_message event handler.

@load frameworks/communication/listen

event syslog_message(c: connection, facility: count, severity: count, msg: string)
{

gUsrID = facility;

print fmt(“syslog %d”, facility);

findSyslog = T ;

}

gUsrID and findSyslog are two global variables.

I am not sure why it is not executing. I did not see any print on the console.

Best,

Hui

I just noticed that you said you are running in bare mode. Why is that? I would only recommend that you do that if you really know what you are doing.

  .Seth

I also like to use a Syslog analyzer to analyze syslog_message event. I define syslog_message event in my own script, but this event handler is not executed under bare mode? I am wondering what scripts should be loaded to enable Syslog analyzer.

You could "@load base/protocols/syslog" to enable the analyzer at least for UDP port 514 traffic. Or you could just "redef dpd_config" like base/protocols/syslog/main.bro does for the ports you need. Not sure if a DPD signature could/should be added for syslog so that would not be necessary, Seth would probably have an idea.

    Jon