Hello, I’d like to write a protocol analyzer, but I don’t know where to begin. Is BinPAC the recommended method? The documentation for BinPAC describes mostly types, so it’s not enough to get me started. I looked at some of the protocols that have .pac files and it’s way over my head at this stage. I found the BinPAC Sample Analyzer, which appears might be applicable mostly to Bro 1.X. Any other resources that could help?
+1.
A tutorial/workshop on the subject would be very interesting to me.
Hi,
Please see: http://www.bro.org/development/howtos/binpac-sample-analyzer.html and the presentation I gave on this at the last Bro Exchange: https://www.youtube.com/watch?v=l44MqU0l6M8&feature=youtu.be My binpac-quickstart script is at: https://github.com/grigorescu/binpac_quickstart
If you have any specific questions, throw them out to this list and we'll see if we can help.
--Vlad
Already a big help, thanks!