[Bro-Dev] Help creating new analyzer
Seth Hall
seth at icir.org
Fri Apr 15 12:18:18 PDT 2011
On Apr 15, 2011, at 2:37 PM, Kristin Stephens wrote:
> Attached are my .pac files. There's close to nothing in them though. I don't use &endofdata anywhere.
I think you found a bug in binpac. I've noticed that bytestrings aren't handled correctly everywhere as you would expect if they have a static length (as it seems to be happening here).
In bgp-protocol.bro, if you change...
marker: bytestring &length=16;
to
marker: uint8[16];
that will fix a piece of the problem, but you also need to define the total length of your outer containing unit (BGP_Message). The following code will do it.
type BGP_Message = record {
marker: uint8[16];
length: uint16;
type: uint8;
msg: bytestring &restofdata;
} &byteorder = bigendian &length=length;
With that change to the BGP_Message, it compiles fine for me. Looking forward to a BGP analyzer! :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list