[Bro] [EXTERNAL] Re: Protocols in protocols

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Mar 26 14:05:00 PDT 2014

On Mar 26, 2014, at 1:45 PM, Thomas, Eric D <edthoma at sandia.gov> wrote:

> Taking what you said, I would instantiate the SMB2 analyzer when
> processing the NetBIOS stub, and I would instantiate the DCERPC analyzer
> when processing SMB2. I¹m willing to do that. So how does one
> instantiate/feed data to the inner protocol?

There’s not necessarily a particular way it has to be done.  If the inner protocols are implementing the Analyzer interface, it might be as simple as “smb2 = new SMB2_Analyzer(Conn()); smb2->DeliverStream(data_len, data, is_orig);”.  But depending on protocol complexities, there might be a lot more code involved in how you choose to glue/chain analyzers together.

There is some NetBIOS/SMB/DCERPC code sitting around in Bro that might still be useful to you for getting ideas of how analyzer/parsers can interact w/ one another.  Another example is the FTP analyzer, which also does some simple SSL processing of ADAT commands and ties the FTP and SSL analyzers together through just the interface of the Analyzer base class and an additional SupportAnalyzer.

- Jon

More information about the Bro mailing list