I see many of the existing protocols focus on either TCP or UDP, but nothing for both. I did notice that SIP has both TCP and UDP, however, the TCP portion is “not activated” (https://github.com/bro/bro/tree/master/src/analyzer/protocol/sip). Is there a good example of how to handle both? Is this something where I would need register listener in main.bro? For example:
I see many of the existing protocols focus on either TCP or UDP, but
nothing for both. I did notice that SIP has both TCP and UDP, however, the
TCP portion is "not activated" ( https://github.com/bro/bro/tree/master/src/analyzer/protocol/sip). Is
there a good example of how to handle both? Is this something where I
would need register listener in main.bro? For example:
[...]
the closest to this is probably the TLS/DTLS analyzer. Similarly to SIP,
it actually is 2 analyzers (one for TLS over TCP and one for DTLS over
UDP) that share a lot of the code.
scripts/base/protocols/ssl/main.bro shows that both of them are just
initialized separately from each other. From a very cursory glance over
SIP, I think that one could just do the same there.