[Bro] Problems in writing an analyzer for custom TCP-based protocol

Valerio valerio.click at gmx.com
Thu Jun 22 08:39:26 PDT 2017

Hi all,

I am trying to write a simple analyzer with BinPAC for a custom binary
TCP protocol with the following structure

|FIXED	     |    MESSAGE_1 # MESSAGE_2 # .......# MESSAGE_N           |

|HEX PREFIX  |                                                         |

The problem is that the above structure doesn't have a fixed lenght and,
therefore, it can be spread across several TCP packets.

At the moment, my prot_protocol.pac file has the following structure:

type PROT_Message = record {
	entry: uint8[] &until($input.length() == 0);

type PROT_PDU(is_orig: bool) = record {
	entry : bytestring &restofdata;
} &byteorder=bigendian;

While the analyzer processes every packet by calling the following
function (as defined in prot_analyzer.pac

refine flow PROT_FLOW += {
	function proc_prot_message(msg: PROT_PDU): bool

The analyzer is activated with a dpd signature that matches the FIXED
Once activated, the function proc_prot_message is called for each packet
in the session exposing in msg its payload.

What is the best way to feed the analyzer with the whole reassembled TCP
payload so that I can process it once without having to keep state while
processing each single packet?

many thanks in advance,

More information about the Bro mailing list