Packet Signature, Protocol, and Analyzer Relationship

Hello,

I am writing a new analyzer and plugin for a TCP Application protocol. Can someone help explain the relationship among the protocol, the analyzer, and the dynamic signature files? The reason I ask is I have a payload regex in dpd.sig that will match on packets and log. Then, if I start adding to and changing my-proto-protocol.pac (while keeping the arguments the same that gets passed to the event), Bro’s debug will say it matches on the dpd.sig for my protocol, but it will not produce a log for my protocol. So, I think I’m missing a fundamental process of Bro processing a packet. Why does changing my-proto-protocol.pac affect what gets logged?

Thanks,

Justin

Hello,

I am writing a new analyzer and plugin for a TCP Application protocol. Can someone help explain the relationship among the protocol, the analyzer, and the dynamic signature files?

Bro either attaches an analyzer to a connection based on the likely port (like 80 for http) or via a signature (/GET.../) so it can find the protocol on non-standard ports. The analyzer can then confirm that it is seeing the protocol it expects to or not.

The reason I ask is I have a payload regex in dpd.sig that will match on packets and log.

Which log are you talking about? the dpd.log? or my-protocol.log?

Then, if I start adding to and changing my-proto-protocol.pac (while keeping the arguments the same that gets passed to the event), Bro's debug will say it matches on the dpd.sig for my protocol, but it will not produce a log for my protocol. So, I think I'm missing a fundamental process of Bro processing a packet. Why does changing my-proto-protocol.pac affect what gets logged?

Without more information, the most likely explanation is that the change you are making to the .pac file is breaking the analyzer and causing events to no longer be generated and nothing to be logged.