[Bro] exercising binpac++/spicy parsers

Troy Jordan troyj at maine.edu
Fri Mar 13 16:40:32 PDT 2015

Johanna, that does help, thank you.

Was BACnet used simply as a test for spicy, or perhaps are there plans
to develop it further?

- Troy

On 3/13/2015 10:39 AM, Johanna Amann wrote:
> Hello Troy,
>> There are some hilti-based parsers in the Bro docker image. When I run
>> the pcaps for BACnet (/opt/hilti/bro/tests/Traces/bacnet/*.pcap) through
>> Bro (eg bro -r NPDU.pcap) , no event logs are produced in
>> /usr/local/bro/logs).
> You have to load the applicable scripts and pac files for Bro to be able
> to parse these protocols. Which files you have to load depends a bit on
> the protocol. The easiest way is to look at the tests that should be there
> for each of the protocols that is to look into the tests directory in
> hilti/bro/tests. In there, pac2/bacnet/npdu_nlmessages.bro shows that to
> parse the NPDUs, it loads bacnet.evt and bacnet.bro out of the hilti
> distribution and then defines a few custom events for output.
> Generally, none of the spicy parsers come with the Bro scripts to generate
> log output -- the parsers just create events. For some of the parsers
> replacing protocols (like DNS or HTTP), the events might be similar enough
> to the events emitted by the binpac parsers to already generate logs. For
> all new protocols implemented by spicy, you would first have to create
> such scripts.
> I hope that helps,
>  Johanna


                     	  Troy Jordan
                   t r o y j @ m a i n e . e d u
                Network Systems Security Analyst
             Information Technology Security Office
                    University of Maine System
233 Science Building           |     voice: 207.561.3590
Portland, ME 04103             |     fax:   509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
 William Shakespeare, Macbeth

More information about the Bro mailing list