Hello,
I am working on Bro-IDS as my academic project and want some information.
I want to know what are the data structures implemented in analyzer and binpac and how are these data structures passed between them.
Its urgent.
Thank you.
I don't understand the question. BinPAC is a compiler. It takes one or more .pac files, and compiles them to a .cc and .h file. Those then get compiled with the rest of Bro.
You can look at these .cc and .h files when you build Bro - build/src/analyzer/protocol/ssl/ssl_pac.cc, for example. Data structures will be in those files.
Have you seen the documentation?
http://www.icir.org/vern/papers/binpac.IMC06.pdf
https://www.bro.org/download/README.binpac.html
http://www.bro.org/development/howtos/binpac-sample-analyzer.html
Let us know if you have a specific question.
--Vlad
Hello Vlad,
Thank you for your reply.
Though I framed the question completely wrong, yet your answer served almost all my queries.
I have another doubt and please correct my mistakes.
The C++ code is generated of the .pac files by the binpac in the build. After “make” and “make install”, is this the final analyzer ?
What do the .cc files along with the .pac files in the analyzer have as content if I intend to write a custom protocol? As binpac calls the event function for the protocols when a particular “type” is detected, are those event functions present in these .cc files?
Are the data structures present in these binpac compiled .cc files used for information exchange?
Thank you.