Hello, I am writing a new analyzer and plugin for a TCP Application protocol. Can someone help explain the relationship among the protocol, the analyzer, and the dynamic signature files? The reason I ask is I have a payload regex in dpd.sig that will match on packets and log. Then, if I start adding to and changing my-proto-protocol.pac (while keeping the arguments the same that gets passed to the event), Bro's debug will say it matches on the dpd.sig for my protocol, but it will not produce a log for my protocol. So, I think I'm missing a fundamental process of Bro processing a packet. Why does changing my-proto-protocol.pac affect what gets logged?
Thanks, Justin
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
