'Re: [Bro] Event Engine Question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] Event Engine Question
From:       Seth Hall <seth () icir ! org>
Date:       2012-01-04 13:53:23
Message-ID: B8E0B289-FCDC-46DC-B3B4-75F945009781 () icir ! org
[Download RAW message or body]


On Jan 4, 2012, at 2:15 AM, Qinwen Hu wrote:

> I think the Event Engine is like the decode layer,

It's really best to stop trying to make comparisons to various components of Bro with \
components of Snort.  They are different systems and they work very differently. :)

> the user can write their own program to indicate which protocol that incoming \
> packet has been used and which handle we should use, then pass to the Policy Script \
> Interpreter layer, this layer will check the payload part, and using the signature \
> matching to check either the incoming packet with the unknown behaviour or not.

Bro doesn't have much focus on packets.  It's concerned with connections and the \
protocols that run over those connections.  Signatures don't really have anything to \
do with it.

> So can I think that Event Engine use to indicate which event handle will be used, \
> and the policy script layer will choose the particular script from the particular \
> handle??

Think of the data flow like this:

Packets -> Bidirectional Streams -> Analyzers -> Events -> Event handlers (script \
land)

Packets get turned into bidirectional streams of data by the reassembler and the tcp \
analyzer.  The data streams are passed to one or more protocol analyzers (I'm \
glossing over this because a lot more is going on here) which take the data and turn \
it into events.  For example, when the http analyzer is attached to an http session \
and the request happens, the analyzer will create an http_request event and insert it \
into the event queue (which is a fairly simple FIFO).  When the event bubbles to the \
top of the queue, it will call all of the http_request handlers.  At that point \
whatever you write code to do with the event is your concern. 

Does that make things more clear?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic