[Bro] Digging through Source Code

Weasel, Gary W Jr CIV DISA RE (US) gary.w.weasel2.civ at mail.mil
Tue Jun 20 13:42:35 PDT 2017


Yes, but there's something that's still stumping me.

Looking at line 70 from https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac

case 8:
        if ( element->data()->etype()->data()->size() )
                rv->Assign(11, proc_cipher_list(element->data()->etype()));

Following the breadcrumb trail in the if statement here...

        element is type KRB_REQ_Arg (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
->      data is type KRB_REQ_Arg_Data (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
->      etype is type Array (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
->      data is type ASN1Encoding (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
->      size is type ?

Following this line of thought, I'm a little confused by what "size()" is supposed to mean here, since it's not an attribute.  I can infer that it's simply returning the size of the record, but I don't have any information as to how or where that would be defined.  I've also tried looking through the source of BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come up empty so far.

I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type vector (from event krb_tgs_request), so I know that the aforementioned if statement is returning true - - but the other two vectors "host_addrs" and "additional"tickets" (that from documentation seem to imply they're parallel with the encryption_type vector) come up as <uninitialized>.

This made me question that maybe there was something wrong with the code that was causing it to miss the host_addr and ticket data, I clearly find this data in my pcap sample under padata.  This is my current theory anyway, and wanted to see if I'm making a bad assumption somewhere or if someone can shed light on what's going on here.


-----Original Message-----
From: Azoff, Justin S [mailto:jazoff at illinois.edu]
Sent: Tuesday, June 20, 2017 3:28 PM
To: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>
Cc: bro at bro.org
Subject: Re: [Bro] Digging through Source Code

All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.




----


> On Jun 20, 2017, at 3:14 PM, Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil> wrote:
>
> All,
>
> I've been digging through the Bro source code, and there's been something that's mystifying me for a while now.
>
> type Array = record {
>        array_meta: ASN1EncodingMeta;
>        data:       ASN1Encoding[];
> };
>
> As from https://github.com/bro/bro/blob/57da2d091b30aad52d52fce8018feeb2cdf8ff1f/src/analyzer/protocol/asn1/asn1.pac
>
> I have no clue what "record" is in this context.  I suspect it has other attributes that are being inherited, but I haven't found anything to indicate what this is.  Does anyone have any insight into this?
>
> Thanks,
> - Gary

Does this help?

https://www.bro.org/sphinx/script-reference/types.html#type-record


--
- Justin Azoff




More information about the Bro mailing list