[Bro] spicy docker image - type parsing oddity

Troy Jordan troyj at maine.edu
Thu Nov 5 20:10:54 PST 2015


I'm uncertain if I've run into an issue peculiar to the spicy docker
image (which should be the latest - 247ea5070b15), or if this is syntax

In a basic modbus parser (attached : .pac2, .evt, .bro and modbus trace
file) , the Message definition throws an error when executing as:

 root# bro -r modbus_part1.3.pcap modbus.evt modbus.bro

>>> struct.set __self "data" ref<MODBUS::DinputsPdu>()
<no location>:: error, operand type ref<MODBUS::DinputsPdu> is not
compatible with type ref<MODBUS::CoilsPdu> [pass::hilti::Validator]

However,  ALT Message definition works fine. In fact, if I parse the
data field with the same type (ie both with type CoilsPdu or both with
type DinputsPdu) it works, which is puzzling.

The idea is to parse different modbus function codes as different types
to enable raising type-specific events.

Any insights appreciated.

- Troy


                     	  Troy Jordan
                   t r o y j @ m a i n e . e d u
                Network Systems Security Analyst
             Information Technology Security Office
                    University of Maine System
233 Science Building           |     voice: 207.561.3590
Portland, ME 04103             |     fax:   509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
 William Shakespeare, Macbeth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: modbus-parse-fail.tar
Type: application/octet-stream
Size: 10240 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151105/baaf507c/attachment.obj 

More information about the Bro mailing list