[Bro-Dev] Hui Lin_Out of Bound Exception from flowunit

Hui Lin hlin33 at illinois.edu
Fri Aug 26 12:12:24 PDT 2011 

Actually, -5 comes from the meaning of the "len" which is specified in the
protocol itself. I also try to add 5 on the &length to the record type. It
still generate same exception. So I guess it is not the overall length of
the record, but the length before "rest".
Your second method to put length on the bytestring instead of record
actually generate the incremental input warning.

Actually, I also consider about define "rest" as a uint8[]. But I just don't
know how to declare the array type in event.bif. How can I pass the array of
uint8 as the input to the event  handler?



On Fri, Aug 26, 2011 at 12:03 PM, Seth Hall <seth at icir.org> wrote:

>
> On Aug 26, 2011, at 12:46 PM, Hui Lin wrote:
>
> > 1217561494.208541 weird: binpac exception: out_of_bound:
> Dnp3_Test:src_addr: 8 > 3
> >
> > 8 is the size of all data before "rest" the bytestring, and 3 is the size
> of data "start" and "len". "len" is used to define the &length of this
> record. It seems that after "len", you can not define extra data, such as
> "ctrl",  "dest_addr" and doing this will generate the above exception.
> However, if you change the type of all data after "len" into bytestring,
> then the exception will not happen.  But I still want to keep those data as
> the "uint8". Any suggestion to solve this problem?
>
> It looks like you probably want to do: &length=(8+len)
>
> You also forgot to explain what the "5" is for and it looks like binpac
> tried to parse 5 bytes too far (8>3).  From a more broad perspective, if you
> have framing around this parse unit (&length applied to a parent unit) it
> probably makes more sense to define this record like this:
>
> type Dnp3_Test = record {
>        start: uint16;
>        len: uint8;
>        ctrl: uint8;
>        dest_addr: uint16;
>        src_addr: uint16;
>         rest: bytestring &length=len;
> } &byteorder = bigendian;
>
> Binpac shouldn't have any problems with that as long as it can calculate
> the fully parsed record size based on a parent record. (to avoid complaints
> about incremental parsing)
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>


-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110826/0e6fc2dd/attachment.html

More information about the bro-dev mailing list