On Mon, May 15, 2017 at 1:46 PM, Aaron Eppert <[email protected]> wrote:
> Greetings, > > In working on authoring a new protocol analyzer plugin I have encountered > the following issues: > > 1) When adding a new type to be passed to an event handler, thus handled > upstream by a protocol analyzer script, types.bif only supports enums. In > order to deal with this during build time, I have added custom rule and > custom target to augment events.bif.bro before it is installed. > > Am I missing something here? Is there a more streamlined approach for > doing this? > Add it to init-bare.bro. e.g.: https://github.com/bro/bro/commit/ 11ec4903ee0cbd3cdb555c309f67ce399b23e37b#diff-64e7fba4a98f6581a47aa0053e9f03 c6 > 2) There seems to be an oddity with including an analyzer script along > side the plugin. I can see, via loaded_scripts.log, that everything is > being loaded properly. However, events are not being fired from the > analyzer script loaded from the plugins directory. If I run bro on the > command line with an accompanying PCAP, I can see all the appropriate debug > I have put into the plugin, but no events fire in the analyzer script. If I > run the same command line AND add a different analyzer script that handles > the same events, they fire and can be verified via print. > I'm not sure I fully understand. So, you have your analyzer, which is generating some events. Then you have a script to handle those events and generate some other events? And those script-generated events aren't actually being generated? --Vlad
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
