Creating a Broccoli event from raw pointers

[matthias]

In the Broccoli event callback, it is possible to obtain a raw version of an event by copying the memory range from the ev_start and ev_end pointers in the BroEvMeta struct.

However, there is currently no way to create an event from a raw byte stream. It would be great to have a simple interface that creates a Broccoli event given a pointer pair to contiguous memory range with the raw event.

[kreibich]

It'd help if I could get some stored serializations of complex events for testing. Matthias, do you have any such files sitting around?

[matthias]

Raw Broccoli Event

[matthias]

I attached a the raw binary version of two events (packet_contents and connection_EOF). If you need more examples, let me know.

[matthias]

Raw Broccoli Event (connection_EOF)

[kreibich]

Experimental support for this feature is now available in the branches/christian/oktoberfest branch as of revision 6593, via the bro_event_send_raw() function.

[anonymous]

Replying to kreibich:

Experimental support for this feature is now available in the branches/christian/oktoberfest branch as of revision 6593, via the bro_event_send_raw() function.

Great, I'll give it a try.