[Bro] ssl binpac analyzer -- patches

Ruoming Pang rpang at cs.princeton.edu
Thu May 31 18:18:01 PDT 2007

On 5/31/07, jmzhou.ml at gmail.com <jmzhou.ml at gmail.com> wrote:
> Yes, the changes work well at my side.
> Some problems of binpac:
> . Split binpac out of bro source tree.

That's actually happening. Please stay tuned. Also, if you have
recommendation on a fast regexp library with BSD-like license, please
let me know. Note that we do not need perl-like captures, but only the
longest match.

> I think to make binpac standalone
> makes testing/developing much easier. One can develop new analyzers and
> test them with dedicated .pcap files.

I agree likewise. In fact, one way to significantly improve testing in
binpac is to make a (proof-of-concept) script when an issue arises.
Such as in this case... By keeping this scripts around we can make
sure that old problems do not surface again.

> . Binpac does not support SunRPC over TCP now. There are four extra bytes
> prepended in RPC packets. Either TCP layer decoder should take care of
> these extra bytes, or the RPC decoder has to do something with it. In
> addition, &exportsourcedata is used in RPC/UDP decoder based on datagram
> mode. It is not supported by flowunit mode. This means, we cannot simply
> change the decoder from datagram mode to flowunit mode for RPC/TCP.

The way I imagine doing this is to consider RPC on TCP a trivial
lower-level protocol than RPC on UDP. For each RPC-on-TCP message, the
analyzer calls the datagram mode RPC analyzer's NewData() routine.
What do you think?

> Finally, a Ref call is missing in the NewCall function when a call already
> exists, and a Unref call is not correctly called in FinishCall.

This is a good point. Thanks for pointing it out!


More information about the Bro mailing list