On Wed, May 02, 2018 at 22:22 +0200, you wrote:
> 1) Reassembling packets: Some S7CommPlus packets which payload is over a > certain amount of bytes will be split and need to be reassembled. As a couple quick pointers, the DNP3 and DTLS analyzers face a similar task, you might find some ideas there. > If I want to generate a Bro events which contains the payload as a > parameter, how do I do that? If with "payload" you mean the raw bytes, you would pass that as a string into the event. But it's hard to do much with raw data that in script-land. The common way would be instead creating one event per type of payload and then raising the corresponding event as you parse packets and find out what's in there. Robin -- Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev