[Bro-Dev] Hui Lin_Out of Bound Exception from flowunit
Seth Hall
seth at icir.org
Mon Aug 29 09:57:15 PDT 2011
On Aug 26, 2011, at 3:12 PM, Hui Lin wrote:
> Actually, -5 comes from the meaning of the "len" which is specified in the protocol itself. I also try to add 5 on the &length to the record type. It still generate same exception. So I guess it is not the overall length of the record, but the length before "rest".
> Your second method to put length on the bytestring instead of record actually generate the incremental input warning.
Ah, ok. So this is your "top level" data structure?
It just looks to me like you might be doing your field length calculation wrong. I'd try thinking about it a bit more.
Alternately, if all of the messages start with "start" and "len" like you have in the record that you sent, you could make a higher level container and apply the length there to provide yourself a framing unit. Like this...
type Dnp3_Head = record {
start: uint16;
len: uint8;
# len-3 could very well be wrong since I'm probably misunderstanding the protocol.
body: Dnp3_Test &length = len-3;
} &byteorder=bigendian;
type Dnp3_Test = record {
ctrl: uint8;
dest_addr: uint16;
src_addr: uint16;
# applying &length to the parent unit should allow us to use &restofdata
rest: bytestring &restofdata;
} &byteorder = bigendian;
> Actually, I also consider about define "rest" as a uint8[]. But I just don't know how to declare the array type in event.bif. How can I pass the array of uint8 as the input to the event handler?
I would probably try to avoid doing that unless the data makes sense as an array of ints.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list