[Bro-Dev] Hui Lin_Binpac: handle incremental input for flowunit

Hui Lin hlin33 at illinois.edu
Thu Jul 21 21:28:46 PDT 2011

Hi Seth, Here is a piece code from SSL protocol (as you mentioned that you
met the similar problem in SSL protocol)

type SSLRecord(is_orig: bool) = record {
        head0 : uint8;
        head1 : uint8;
        head2 : uint8;
        head3 : uint8;
        head4 : uint8;
        rec : RecordText(this, is_orig) &requires(content_type),
} &length = length+5, &byteorder=bigendian,
  &let {
        version : int =
                $context.analyzer.determine_ssl_version(head0, head1,

        content_type : int = case version of {
                UNKNOWN_VERSION -> 0;
                SSLv20 -> head2+300;
                default -> head0;

        length : int = case version of {
                UNKNOWN_VERSION -> 0;
                SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
                default -> (head3 << 8) | head4;

Here the &length is set by its attribute length and length is then decided
according to different situation. so I think this might be working in my
case? As I can similarly set length to different value according to the
function code and then use this to set the &length.

On Thu, Jul 21, 2011 at 4:51 AM, Seth Hall <seth at icir.org> wrote:

> On Jul 21, 2011, at 1:18 AM, Hui Lin wrote:
> > The structure is kind of more complex. Some request will contain addition
> headers and objects, so you can only know the length of the whole fragment
> when you parse them all. Or at least parse this additional header (but there
> is also no length field in this additional header).  I don't quite follow
> what do you mean "framing it to the packet". Any further suggestion?
> I just mean using the packet length as the length of the request or
> response.  If that's how the protocol works and if binpac supported it (a
> lot of "if"s), that would provide you the way to give a length to the top
> parse unit to avoid the incremental parsing error.
> Maybe someone else has a suggestion?  I'm unfortunately out of ideas.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110721/931c3e98/attachment-0001.html 

More information about the bro-dev mailing list