[Bro] binpac to bro script types

Vlad Grigorescu vladg at illinois.edu
Wed May 31 12:13:39 PDT 2017


Well, that's protocol specific, but I did some digging:

> >>> TIME_FIXUP_CONSTANT
> 11644473600
> >>> hex(filetime)
> '0x01d238cc0f66a007'
> >>> filetime/10000000.
> 13122978809.960194
> >>> _-TIME_FIXUP_CONSTANT
> 1478505209.9601936
> >>> datetime.datetime.fromtimestamp(1478505209.9601936).strftime('%Y-%m-%d %H:%M:%S')
> '2016-11-07 01:53:29'

This is already implemented in smb-time.pac:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/smb/smb-time.pac#L13

You could try just adding this to your PAC file and then you'll be able
to use that function:

> %include ../smb/smb-time.pac

Check out krb-asn1.pac for an example of including another PAC file:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-asn1.pac

  --Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/81f50ede/attachment.bin 


More information about the Bro mailing list