[Bro-Dev] Hui Lin_Out of Bound Exception from flowunit

Hui Lin hlin33 at illinois.edu
Mon Aug 29 11:13:23 PDT 2011 

On Mon, Aug 29, 2011 at 11:57 AM, Seth Hall <seth at icir.org> wrote:

>
> On Aug 26, 2011, at 3:12 PM, Hui Lin wrote:
>
> > Actually, -5 comes from the meaning of the "len" which is specified in
> the protocol itself. I also try to add 5 on the &length to the record type.
> It still generate same exception. So I guess it is not the overall length of
> the record, but the length before "rest".
> > Your second method to put length on the bytestring instead of record
> actually generate the incremental input warning.
>
> Ah, ok.  So this is your "top level" data structure?
>
> It just looks to me like you might be doing your field length calculation
> wrong.  I'd try thinking about it a bit more.
>
> Alternately, if all of the messages start with "start" and "len" like you
> have in the record that you sent, you could make a higher level container
> and apply the length there to provide yourself a framing unit.  Like this...
>
> type Dnp3_Head = record {
>        start: uint16;
>        len: uint8;
>        # len-3 could very well be wrong since I'm probably misunderstanding
> the protocol.
>        body: Dnp3_Test &length = len-3;
> } &byteorder=bigendian;
>

I was doing this before actually. There is still problem when you put a
uint8 data type after this high level record. However, I find that right
after the int data type, you have to set a "bytestring" to eliminate this
problem. I don't know why. So what I am doing is that I actually defined a
dump variable which is of type bytestring with length 0 and it works.

>
> type Dnp3_Test = record {
>         ctrl: uint8;
>        dest_addr: uint16;
>        src_addr: uint16;
>         # applying &length to the parent unit should allow us to use
> &restofdata
>        rest: bytestring &restofdata;
> } &byteorder = bigendian;
>
> > Actually, I also consider about define "rest" as a uint8[]. But I just
> don't know how to declare the array type in event.bif. How can I pass the
> array of uint8 as the input to the event  handler?
>
> I would probably try to avoid doing that unless the data makes sense as an
> array of ints.
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>


-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110829/9c18a8bd/attachment.html

More information about the bro-dev mailing list