Hello everyone,
I want to know that which module in the source code supplies the information to the root node of the analyzer tree (i.e. Tansport Layer Analyzer) . Where should I look for in the source code.
Urgently need to understand the information flow and the data structures involved to the analyzer layer for an academic project.
Also I have been able to use sample analyzer provided in the bro site but how to test run it easily. Can I do something like modifying it like some already made protocol (ex. dhcp etc) and test run it or what?
Hoping for a reply.
Regards,
Prateek
I want to know that which module in the source code supplies the information to the root node of the analyzer tree (i.e. Tansport Layer Analyzer) . Where should I look for in the source code.
Urgently need to understand the information flow and the data structures involved to the analyzer layer for an academic project.
See Connection::NextPacket which is called from NetSessions::DoNextPacket.
Also I have been able to use sample analyzer provided in the bro site but how to test run it easily. Can I do something like modifying it like some already made protocol (ex. dhcp etc) and test run it or what?
You can do whatever you need/like in the implementation of the sample analyzer (e.g. the overrides of Analyzer::DeliverStream or Analyzer::DeliverPacket).
Then, to get the sample analyzer attached to particular connections so it will actually process data, there’s a choice of
(1) look in to how the Analyzer::register_for_ports script-layer function is used for other protocol analyzers
(2) look in to how other analyzers use DPD signatures to automatically attach themselves to a connection when the payload matches a signature
(3) hardcode the sample analyzer to be used for every connection.
It’s typical to combine (1) and (2).
- Jon