[Bro-Dev] Hui Lin_Some question on Binpac
Robin Sommer
robin at icir.org
Tue Jul 12 08:09:54 PDT 2011
On Mon, Jul 11, 2011 at 22:10 -0700, you wrote:
> tell whether the parsing packet is a "request" or a "response". For example,
> in HTTP protocol, the http header will include such information.
While that's right, BinPAC/Bro is actually not using that information
to decide which side it's parsing. Generally, Bro always considers the
originator of a connection to be the client side[1], and then it
drives BinPAC parsing accordingly.
Take a look at http-procotol.pac, there's this piece:
type HTTP_PDU(is_orig: bool) = case is_orig of {
true -> request: HTTP_Request;
false -> reply: HTTP_Reply;
};
And in http-analyzer.pac, there is:
connection HTTP_Conn(bro_analyzer: BroAnalyzer) {
upflow = HTTP_Flow(true);
downflow = HTTP_Flow(false);
};
flow HTTP_Flow(is_orig: bool) {
flowunit = HTTP_PDU(is_orig) withcontext (connection, this);
...
}
When Bro passes in data, it tells BinPAC which of these flows to use.
>From HTTP-binpac.cc:
void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
{
....
// orig is true here if it's originator-side data.
interp->NewData(orig, data, data + len);
}
There's a skeleton Bro analyzer on the web page that's based on
binpac. If you us that skeleton, you should pretty much automatically
get this direction stuff right. See
http://www.bro-ids.org/development/binpac-sample-analyzer.html
Robin
[1] With a few additional heuristics for corner-cases.
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list