[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Event Engine Question
From: Seth Hall <seth () icir ! org>
Date: 2012-01-04 13:53:23
Message-ID: B8E0B289-FCDC-46DC-B3B4-75F945009781 () icir ! org
[Download RAW message or body]
On Jan 4, 2012, at 2:15 AM, Qinwen Hu wrote:
> I think the Event Engine is like the decode layer,
It's really best to stop trying to make comparisons to various components of Bro with \
components of Snort. They are different systems and they work very differently. :)
> the user can write their own program to indicate which protocol that incoming \
> packet has been used and which handle we should use, then pass to the Policy Script \
> Interpreter layer, this layer will check the payload part, and using the signature \
> matching to check either the incoming packet with the unknown behaviour or not.
Bro doesn't have much focus on packets. It's concerned with connections and the \
protocols that run over those connections. Signatures don't really have anything to \
do with it.
> So can I think that Event Engine use to indicate which event handle will be used, \
> and the policy script layer will choose the particular script from the particular \
> handle??
Think of the data flow like this:
Packets -> Bidirectional Streams -> Analyzers -> Events -> Event handlers (script \
land)
Packets get turned into bidirectional streams of data by the reassembler and the tcp \
analyzer. The data streams are passed to one or more protocol analyzers (I'm \
glossing over this because a lot more is going on here) which take the data and turn \
it into events. For example, when the http analyzer is attached to an http session \
and the request happens, the analyzer will create an http_request event and insert it \
into the event queue (which is a fairly simple FIFO). When the event bubbles to the \
top of the queue, it will call all of the http_request handlers. At that point \
whatever you write code to do with the event is your concern.
Does that make things more clear?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic