An LDAP analyzer would be great to have.
Obviously, I'm new to BRO. I looked through the documentation and was
not able to find anything on extending BRO's collection of analyzers.
Unfortunately, there isn't documentation for this yet. The way to go
about it, though, is to identify an analyzer Bro already supports for
a protocol that's similar to the one you want to do, and use the
corresponding classes (in say HTTP.{h,cc} or DNS.{h,cc}, for example)
as templates.
I'm especially interested on how to define event_handlers for custom
policy scripts that leverage the LDAP analyzer.
See the file event.bif, which serves as the glue between the C++ of the
event engine and the .bro policy script files.
Vern