question regarding session creation

scott campbell scampbell at lbl.gov
Fri Sep 26 10:50:50 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Background:
I have written a gsiftp analysis tool for bro, which more or less mimics
the behavior of the regular ftp analysis engine.  The authentication
mechanism within gsiftp is a regular ssl handshake which is encoded
within the ftp command session as 'ADAT' commands (as per RFC 2228 if
anybody cares) with the contents of the handshake base64 encoded. There
also exists a SSL handshake decoder (not of my creation) which can
digest regular SSL data connections.

Problem:
I would like to be able to create a new connection object to analyze the
authentication handshake from within the gsiftp analyzer, but have so
far been unable to get anything to work. The main problem is that for a
connection instantiation, say:

FTP_Conn::FTP_Conn(NetSessions* s, HashKey* k, double t, const ConnID* id,
~                const struct tcphdr* tp)
: TCP_Connection(s, k, t, id, tp)
~        {
~        pending_reply = 0;
~        }

the HashKey and ConnID are the result of the source port+IP and hence a
internal call to create another connection object has problems when it
comes time for that object to be destroyed.  I have tried using an
artificial address space to create non-conflicting hash indexes, but
have not found success.

Any thoughts or ideas?

scott

- -----
Scott Campbell
NERSC Security Analyst
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/dHx6K2Plq8B7ZBwRArMJAKCJ6rp9sDaT3OLex+jZn4/yFJX3JACgiVfL
nOLOwUtjX7QWolHq5zmGMkc=
=twzi
-----END PGP SIGNATURE-----




More information about the Bro mailing list