[Bro-Dev] Hui Lin_Some question on Binpac

Robin Sommer robin at icir.org
Tue Jul 12 08:09:54 PDT 2011


On Mon, Jul 11, 2011 at 22:10 -0700, you wrote:

> tell whether the parsing packet is a "request" or a "response". For example,
> in HTTP protocol, the http header will include such information.

While that's right, BinPAC/Bro is actually not using that information
to decide which side it's parsing. Generally, Bro always considers the
originator of a connection to be the client side[1], and then it
drives BinPAC parsing accordingly.

Take a look at http-procotol.pac, there's this piece:

    type HTTP_PDU(is_orig: bool) = case is_orig of {
        true ->         request:        HTTP_Request;
        false ->        reply:          HTTP_Reply;
};

And in http-analyzer.pac, there is:

    connection HTTP_Conn(bro_analyzer: BroAnalyzer) {
        upflow = HTTP_Flow(true);
        downflow = HTTP_Flow(false);
    };

    flow HTTP_Flow(is_orig: bool) {
        flowunit = HTTP_PDU(is_orig) withcontext (connection, this);
        ...

    }


When Bro passes in data, it tells BinPAC which of these flows to use.
>From HTTP-binpac.cc:

    void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
        {
        ....
        // orig is true here if it's originator-side data.
        interp->NewData(orig, data, data + len);
        }

There's a skeleton Bro analyzer on the web page that's based on
binpac. If you us that skeleton, you should pretty much automatically
get this direction stuff right. See
http://www.bro-ids.org/development/binpac-sample-analyzer.html

Robin

[1] With a few additional heuristics for corner-cases.


-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list