I want to create my own bro plugin but I’m stuck in the playing-around phase. Below is my current code and information about my system. I know packet counts are available in the normal logs, this is just my hello world for bro. The problem is that while bro seems to recognize that there is a plugin, it doesn’t seem to instantiate the analyzer when is is processing a pcap. I’ve tried to activate it using the environment variables, the Available function and the EnableHook. I need to process all connections so I can’t use port numbers or signatures.
The only output the plugin creates is ‘hello world!’ from the plugin.cc If the Analyzer gets instantiated, I would expect more output.
In order to find the reason that my plugin isn’t doing anything, I have recompiled with --enable-debug and I run with bro -B plugins. The debug.log now contains
I also added the Available() function to Plugin.h.
Is this all that is required? The plugin still doesn’t do anything… Any hints? Or does anyone have an example non-built-in plugin that work on all connections regardless of ports and signatures?
Sounds like you're suspecting the right thing already: the analyzer
needs to be explicitly activated for all connections it's supposed to
look at, it's not going to receive everything automatically. There
there 4 ways to activate an analyzer: (1) by port, (2) by signature,
(3) in script-land for a future connection, and (4) with recent git
master you can write a C++ hook function that gets called once at the
beginning of each connection when the default analyzer setup has been
determined; that C++ function can then add the customer analyzer at
that point as well.
Thanks! I still have a lot of work to do, but now at least my UpdateConnVal is being called, so there is progress
You made my day!
For other people that want to create a dynamic plugin that is invoked for all connections (option 4), this is the progress so far:
In my Plugin.cc I added:
void HookSetupAnalyzerTree(Connection *conn)
{
::analyzer::mynamespace_myplugin::PluginAnalyzer::Instantiate(conn);
}
And in my PluginAnalyzer.cc I now have:
PluginAnalyzer::PluginAnalyzer(Connection* c)
: tcp::TCP_ApplicationAnalyzer(“TEST”, c)
{
TCP()->AddChildAnalyzer(this); // this line took me quite a while
}
Is this all that is required? The plugin still doesn’t do anything…
Any hints? Or does anyone have an example non-built-in plugin that
work on all connections regardless of ports and signatures?
Sounds like you’re suspecting the right thing already: the analyzer
needs to be explicitly activated for all connections it’s supposed to
look at, it’s not going to receive everything automatically. There
there 4 ways to activate an analyzer: (1) by port, (2) by signature,
(3) in script-land for a future connection, and (4) with recent git
master you can write a C++ hook function that gets called once at the
beginning of each connection when the default analyzer setup has been
determined; that C++ function can then add the customer analyzer at
that point as well.
