<font><font face="arial,helvetica,sans-serif">HI, Robin,</font></font><div><font><font face="arial,helvetica,sans-serif"><br></font></font></div><div><font><font face="arial,helvetica,sans-serif">Can you please take a look at current version of the codes. I added documentation on the analyzer. </font></font></div>
<div><font><font face="arial,helvetica,sans-serif"><br></font></font></div><div><font><font face="arial,helvetica,sans-serif">The work that left undone so far is </font></font></div><div><font face="arial, helvetica, sans-serif">(1) so far, we support logic DNP3 application layer fragment as long as 65536. </font></div>
<div><font face="arial, helvetica, sans-serif">(2) documentation on protocol validation policy, the policy that checks some rules defined by DNP3 protocols</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div>
<div><font face="arial, helvetica, sans-serif">Best,</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Hui Lin</font></div><div><br><div class="gmail_quote">
On Sat, Oct 6, 2012 at 8:30 PM, Bro Tracker <span dir="ltr"><<a href="mailto:bro@tracker.bro-ids.org" target="_blank">bro@tracker.bro-ids.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">#861: Merging DNP3 Analyzer<br>
---------------------+------------------------<br>
Reporter: hui | Owner: robin<br>
Type: Task | Status: assigned<br>
Priority: Normal | Milestone: Bro2.2<br>
Component: Bro | Version: git/master<br>
Resolution: | Keywords: dnp3<br>
---------------------+------------------------<br>
<br>
</div>Comment (by hui):<br>
<br>
Replying to [comment:12 seth]:<br>
<div class="im"> > > I think what you said is the "incremental parsing"<br>
> > mentioned in the binpac paper. But actually, I am not quite sure how<br>
this<br>
> > is implemented in the binpac. Can you please direct me to some codes<br>
that<br>
> > I refer to?<br>
><br>
> It's actually not something you even need to worry about. Just<br>
instantiate your binpac parser and begin passing data into it as you<br>
receive it, the binpac parser will take care of the data even if it<br>
doesn't receive the full PDU in one go.<br>
<br>
</div> Just come up another question. When a HTTP fragment is very long and<br>
carried in different network packets, the HTTP binpac analyzer should know<br>
the length of the whole fragment when the first application layer trunk is<br>
received. Is this correct? The HTTP message contains some field to<br>
indicate that length, right?<br>
<br>
But for DNP3 analyzer, this is not possible. I know the length of the<br>
whole logical DNP3 fragment only when the last trunk is received. To<br>
better explained<br>
<br>
TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data<br>
Transport Layer : DNP3 Pseudo Application Layer #1<br>
TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data<br>
Transport Layer : DNP3 Pseudo Application Layer #2<br>
....<br>
TCP : DNP3 Pseudo Data Link Layer (length field is x) : DNP3 Pseudo Data<br>
Transport Layer : DNP3 Pseudo Application Layer #n<br>
<br>
So the length field in the Pseudo Data Link does not contain the length of<br>
the whole DNP3 fragment, but the length of the trunk following this data<br>
link layer. So in order to know the whole length of the DNP3 fragment (in<br>
this case is , 255 + 255 + ... + x), all the application layer trunk has<br>
to be received. So is there any way to use incremental parsing in the<br>
binpac in this case?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Ticket URL: <<a href="http://tracker.bro-ids.org/bro/ticket/861#comment:13" target="_blank">http://tracker.bro-ids.org/bro/ticket/861#comment:13</a>><br>
</font></span><div class="HOEnZb"><div class="h5">Bro Tracker <<a href="http://tracker.bro-ids.org/bro" target="_blank">http://tracker.bro-ids.org/bro</a>><br>
Bro Issue Tracker<br>
</div></div></blockquote></div><br></div><br clear="all"><div><br></div>-- <br>Hui Lin<div>PhD Candidate, Research Assistant<br>Electrical and Computer Engineering Department<br>University of Illinois at Urbana-Champaign</div>
<br>