[Bro] [EXTERNAL] Re: Protocols in protocols

Thomas, Eric D edthoma at sandia.gov
Wed Mar 26 11:45:23 PDT 2014

Okay let me use a specific case that exemplifies what I¹m hoping to do.
Take a DCERPC packet that is transported over directed hosted SMB2 over
TCP/IP. The packet headers look like this: Ethernet|IP|TCP|NetBIOS

Taking what you said, I would instantiate the SMB2 analyzer when
processing the NetBIOS stub, and I would instantiate the DCERPC analyzer
when processing SMB2. I¹m willing to do that. So how does one
instantiate/feed data to the inner protocol?
Eric Thomas

edthoma at sandia.gov

On 3/26/14, 11:34 AM, "Siwek, Jonathan Luke" <jsiwek at illinois.edu> wrote:

>On Mar 26, 2014, at 11:49 AM, Thomas, Eric D <edthoma at sandia.gov> wrote:
>> I¹m writing an analyzer for a few protocols which may or may not be
>>layered. That is, a packet may be IP|TCP|ProtoA|ProtoB, or
>>IP|TCP|ProtoC|ProtoB, or IP|TCP|ProtoB, and perhaps other variations. I
>>envision writing separate protocol analyzers for each of those protocols
>>instead of having to account for all the variations in one protocol
>>analyzer. Does Bro/binPAC allow for this, and if so how? If it makes a
>>difference, in this case most of the protocols cannot have useful DPD
>For protocols that sit inside a transport protocol (TCP/UDP), it¹s
>typical to write a DPD signature and/or have a script that calls [1] to
>have Bro automatically instantiate and manage an analyzer for the inner
>protocol (e.g. Proto{A,B,C}).  If those may encapsulate a known
>application-layer protocol, then it may just be a matter of putting code
>inside those outer analyzers to do their own instantiation/management of
>some inner analyzer (e.g. ProtoB) and feed it the appropriate data.  But
>if the inner protocol can be another IPv4/IPv6 packet or an arbitrary
>application-layer protocol, it needs a different treatment.  I can
>elaborate if that's the situation.
>- Jon

More information about the Bro mailing list