[Bro-Dev] #861: Merging DNP3 Analyzer

Bro Tracker bro at tracker.bro-ids.org
Thu Oct 4 07:55:43 PDT 2012

#861: Merging DNP3 Analyzer
  Reporter:  hui     |      Owner:  robin
      Type:  Task    |     Status:  assigned
  Priority:  Normal  |  Milestone:  Bro2.2
 Component:  Bro     |    Version:  git/master
Resolution:          |   Keywords:  dnp3

Comment (by hui):

 Replying to [comment:7 robin]:
 > Replying to [comment:6 hui]:
 > > So my understanding is that a analyzer class instance represent a
 single TCP session including all flows ? Actually I am writing to confirm
 this understanding.
 > Yes, the analyzer gets (all) the data from a single TCP session, so if
 you need to remember things for the (pseudo-)link layer reassembly, you
 can (and should) do that as part of the analyzer class.
 > One additional note though: I'm now wondering if you need to buffer the
 data at all. Can you just pass it into the BinPAC analyzer as it comes in?
 You don't need to have the full PDU assembled before starting to send data
 in (just like for HTTP, you don't need to have the full HTTP session).

 Buffering all data can cause the performance issue as well as being
 attacked by DOS. I think what you said is the "incremental parsing"
 mentioned in the binpac paper. But actually, I am not quite sure how this
 is implemented in the binpac. Can you please direct me to some codes that
 I refer to?

 I think I can first document this version of the DNP3 analyzer and finish
 your comments. For this work, I still have to test a little bit. Then we
 can remove buffering data in the later version of the DNP3 analyzer. Does
 that sound OK to you?

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:8>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list