Unknown protocol in Bro


I used Bro version 1.1.0.
I wrote policy for dump data content, which is transferring on unknown protocol.
And I modified method NewConn() in NetSessions class:
If port value isn’t handled I create instance of UnknownConnection class,
which fair events for each request/reply of its connection. These events are handled in policy script and write the content to HDD.

How can I do the same in new versions Bro?

Best regards,
Anton Korovin

The best location for such functionality should be
DPM::BuildInitialAnalyzerTree() in DPM.{h,cc} (DPM is the "dynamic
protocol manager()). In the new version of Bro, this method takes
the initial decision which analyzers to use for a connection, in
particular by checking whether there is a well-known port for any of
the protocols Bro supports.

Instead of creating an UnknownConnection class, you can derive a
class UnknownProtocolAnalyzer from class Analyzer and then add an
instance of that in BuildInitialAnalyzerTree() to the connection's
analyzer tree whenever there isn't any other analyzer to put in

The drawback of this approach is that you'll also be writing content
to disk for connections for which an analyzer is found later, e.g.,
via DPD's signature matching. If that is a problem (i.e., you don't
want to rely on well-known ports only for the content saving), an
alternative would be to instantiate the UnknownProtocolAnalyzer
later, e.g., only once the signature matching has been turned off.
Until this point all content is buffered so you wouldn't loose
anything. However, performance might affected somewhat with this
approach if there are a lot of connections with unsupported

Let me know if you need more details on the DPD implementation.