[Bro-Dev] Hui Lin_Some question on Binpac

Tue Jul 12 20:28:26 PDT 2011

Hi,

I do follow the Binpac sample analyzer. And I also notice this part of code
which use the value of is_orig to decide whether the packet is the request.

When Bro is used to parse network traffic on the network card, it is obvious
to see what traffic are coming in and what traffic are going out. But i am
using the traffic dump to test, so how can Binpac know which traffic is
coming in and going out? I use the Wireshark and actually, wireshark can
tell whether the packet is a request or response.

Also according to your logic, the Bro considers the originator of the
traffic as the client and then this makes sense to my situation. Since the
first packet in that dump is a response (without any request before it) and
Binpac will consider the source of the packet as the client and the receiver
as the server, then this can successfully fool the Binpac to think that this
packet is a request. Then the exception can happen.

Best,

Hui

On Tue, Jul 12, 2011 at 8:09 AM, Robin Sommer <robin at icir.org> wrote:

>
> On Mon, Jul 11, 2011 at 22:10 -0700, you wrote:
>
> > tell whether the parsing packet is a "request" or a "response". For
> example,
> > in HTTP protocol, the http header will include such information.
>
> While that's right, BinPAC/Bro is actually not using that information
> to decide which side it's parsing. Generally, Bro always considers the
> originator of a connection to be the client side[1], and then it
> drives BinPAC parsing accordingly.
>
> Take a look at http-procotol.pac, there's this piece:
>
>    type HTTP_PDU(is_orig: bool) = case is_orig of {
>        true ->         request:        HTTP_Request;
>        false ->        reply:          HTTP_Reply;
> };
>
> And in http-analyzer.pac, there is:
>
>    connection HTTP_Conn(bro_analyzer: BroAnalyzer) {
>        upflow = HTTP_Flow(true);
>        downflow = HTTP_Flow(false);
>    };
>
>    flow HTTP_Flow(is_orig: bool) {
>        flowunit = HTTP_PDU(is_orig) withcontext (connection, this);
>        ...
>
>    }
>
>
> When Bro passes in data, it tells BinPAC which of these flows to use.
> From HTTP-binpac.cc:
>
>    void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data,
> bool orig)
>        {
>        ....
>        // orig is true here if it's originator-side data.
>        interp->NewData(orig, data, data + len);
>        }
>
> There's a skeleton Bro analyzer on the web page that's based on
> binpac. If you us that skeleton, you should pretty much automatically
> get this direction stuff right. See
> http://www.bro-ids.org/development/binpac-sample-analyzer.html
>
> Robin
>
> [1] With a few additional heuristics for corner-cases.
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>

-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110712/a8fa452c/attachment.html 