[Bro-Dev] #861: Merging DNP3 Analyzer

Bro Tracker bro at tracker.bro-ids.org
Wed Oct 3 11:44:52 PDT 2012


#861: Merging DNP3 Analyzer
---------------------+------------------------
  Reporter:  hui     |      Owner:  robin
      Type:  Task    |     Status:  assigned
  Priority:  Normal  |  Milestone:  Bro2.2
 Component:  Bro     |    Version:  git/master
Resolution:          |   Keywords:  dnp3
---------------------+------------------------

Comment (by robin):

 Replying to [comment:6 hui]:

 > So my understanding is that a analyzer class instance represent a single
 TCP session including all flows ? Actually I am writing to confirm this
 understanding.

 Yes, the analyzer gets (all) the data from a single TCP session, so if you
 need to remember things for the (pseudo-)link layer reassembly, you can
 (and should) do that as part of the analyzer class.

 One additional note though: I'm now wondering if you need to buffer the
 data at all. Can you just pass it into the BinPAC analyzer as it comes in?
 You don't need to have the full PDU assembled before starting to send data
 in (just like for HTTP, you don't need to have the full HTTP session).

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:7>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list