Protocol Analyzer Plugin Question

Greetings,

In working on authoring a new protocol analyzer plugin I have encountered the following issues:

  1. When adding a new type to be passed to an event handler, thus handled upstream by a protocol analyzer script, types.bif only supports enums. In order to deal with this during build time, I have added custom rule and custom target to augment events.bif.bro before it is installed.

Am I missing something here? Is there a more streamlined approach for doing this?

  1. There seems to be an oddity with including an analyzer script along side the plugin. I can see, via loaded_scripts.log, that everything is being loaded properly. However, events are not being fired from the analyzer script loaded from the plugins directory. If I run bro on the command line with an accompanying PCAP, I can see all the appropriate debug I have put into the plugin, but no events fire in the analyzer script. If I run the same command line AND add a different analyzer script that handles the same events, they fire and can be verified via print.

Most of the examples that exist aren’t trying to do anything along these lines and, while I have the rest of the protocol defined well via BinPac, the last mile of making use of that work has been a bit uphill.

Any insight into the two oddities above would be greatly appreciated.

Aaron

Greetings,

In working on authoring a new protocol analyzer plugin I have encountered
the following issues:

1) When adding a new type to be passed to an event handler, thus handled
upstream by a protocol analyzer script, types.bif only supports enums. In
order to deal with this during build time, I have added custom rule and
custom target to augment events.bif.bro before it is installed.

Am I missing something here? Is there a more streamlined approach for
doing this?

Add it to init-bare.bro. e.g.: https://github.com/bro/bro/commit/
11ec4903ee0cbd3cdb555c309f67ce399b23e37b#diff-64e7fba4a98f6581a47aa0053e9f03
c6

2) There seems to be an oddity with including an analyzer script along
side the plugin. I can see, via loaded_scripts.log, that everything is
being loaded properly. However, events are not being fired from the
analyzer script loaded from the plugins directory. If I run bro on the
command line with an accompanying PCAP, I can see all the appropriate debug
I have put into the plugin, but no events fire in the analyzer script. If I
run the same command line AND add a different analyzer script that handles
the same events, they fire and can be verified via print.

I'm not sure I fully understand. So, you have your analyzer, which is
generating some events. Then you have a script to handle those events and
generate some other events? And those script-generated events aren't
actually being generated?

  --Vlad

Oops, reread what I sent and realized it wouldn't work, since this is a
plugin. Sorry about that. I'll have to think about that a bit more.

Hi,

1) When adding a new type to be passed to an event handler, thus handled
upstream by a protocol analyzer script, types.bif only supports enums. In
order to deal with this during build time, I have added custom rule and
custom target to augment events.bif.bro before it is installed.

Am I missing something here? Is there a more streamlined approach for doing
this?

not sure whether this is of any help but I once added a new opaque type
using a plugin. As far as I remember, there was no need to adapt
anything to make that work.

Jan