[Bro-Dev] Hui Lin_Confusion in Dynamic Protocol Detection

Hui Lin hlin33 at illinois.edu
Mon Aug 8 22:16:05 PDT 2011

After checking Bro's code (especially Analyzer.h, Analyzer.cc), I think the
logic is like this (please point out if I am wrong):
TCP_Analyzer will parse the TCP protocol and extract the palyload (input to
application level protocol analyzer), this payload will be passed up to
Analyzer class (how to pass is not clear to me).
After Analyzer knows this stream of TCP payload and this is the input of the
ForwardStream. ForwardStream then call Analyzer's children to use their own
DeliverStream. In each DeliverStream implementation, the Binpac Conn
function is used to parse the stream. So in my opinion, from Analyzer,
TCP_ApplicationAnalyzer to the application-level analyzer, the stream
actually does not change.

But for my situation, I have two application-level protocols, p1 and p2. p1
derive from TCP_ApplicationAnalyzer and p1 needs to parse and reconstruct
stream from TCP level, not directly pass the stream to p2. So I think what I
can do is to let p2 derives from p1. And then define a event handler in p1
to reconstruct stream as it parse its protocol, in this event handler, we
can have the reconstructed stream and use it as the input to call
ForwardStream of p1.  p2 still defines the DeliverStream as usual, and in
this way, p2's protocol analyzer should be able get
those reconstructed stream.


On Mon, Aug 8, 2011 at 8:49 AM, Robin Sommer <robin at icir.org> wrote:

> On Sun, Aug 07, 2011 at 21:56 -0700, you wrote:
> > So it seems that TCP_ApplicationAnalyzer behave like a helping interface
> > between TCP protocol and other application-over-TCP protocol.  I would
> also
> > like to learn how TCP_Analyzer passes payload to TCP_AppliationAnalyzer
> in
> > implementation. For the DNP3 protocol, I actually have to write two
> > application level analyzer and one passes the payload to the other one to
> do
> > some further parsing. I would like to refer TCP's implementation.
> TCP's data flow is more complex than you need (I believe) because the
> TCP reassembler is potentially involved too. In your case, the first
> analyzer would call its ForwardStream(), and the data will then show
> up in the second's DeliverStream() method.
> Robin
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110808/5008ae58/attachment.html 

More information about the bro-dev mailing list