I'm working on cataloging service-level protocols seen on a network. event.bif.bro lists "protocol_confirmation: event(c: connection , atype: Analyzer::Tag , aid: count)", which seems to be just the ticket. However, it is not invoked by some of the protocol analyzers of interest (e.g., MODBUS/TCP). It is invoked by DNS, but I don't see it in /scripts/base/protocols/dns/main.bro<https://www.bro.org/sphinx/_downloads/main25.bro>. How do I modify the other protocol analyzer scripts to invoke protocol_confirmation?
You do not see the event being raised in scriptland, because it is
generated by Bro when the C++ or binpac code (in
src/analyzers/protocols/*) calls ProtocolConfirmation(); or
bro_analyzer()->ProtocolConfirmation(); to confirm that it is parsing the
correct protocol, after it parses enough data to be sure about it.
That function call wass missing from the modbus analyzer; it has been
added to bro master a few days ago and should be raised there now too.
TCP/UDP do not raise it currently -- I think the justification for this is
that in the case of TCP and UDP Bro does not really detect the protocol,
but it is given directly in the IP information (i.e. -- if the IP header
says that it is TCP, Bro just believes it).
I believe I'm using the updated bro code. My source pcap has MODBUS traffic, and there are three MODBUS logs: modbus, known_modbus and modbus_register_change, my earlier bro only output modbus.log. However, MODBUS does not appear to be picked up by protocol_confirmation. When I run the test script
event protocol_confirmation(c: connection , atype: Analyzer::Tag , aid: count )
The output is