[Bro-Dev] #861: Merging DNP3 Analyzer

Bro Tracker bro at tracker.bro-ids.org
Sat Oct 6 18:30:37 PDT 2012 

#861: Merging DNP3 Analyzer
---------------------+------------------------
  Reporter:  hui     |      Owner:  robin
      Type:  Task    |     Status:  assigned
  Priority:  Normal  |  Milestone:  Bro2.2
 Component:  Bro     |    Version:  git/master
Resolution:          |   Keywords:  dnp3
---------------------+------------------------

Comment (by hui):

 Replying to [comment:12 seth]:
 > > I think what you said is the "incremental parsing"
 > > mentioned in the binpac paper. But actually, I am not quite sure how
 this
 > > is implemented in the binpac. Can you please direct me to some codes
 that
 > > I refer to?
 >
 > It's actually not something you even need to worry about.  Just
 instantiate your binpac parser and begin passing data into it as you
 receive it, the binpac parser will take care of the data even if it
 doesn't receive the full PDU in one go.

 Just come up another question. When a HTTP fragment is very long and
 carried in different network packets, the HTTP binpac analyzer should know
 the length of the whole fragment when the first application layer trunk is
 received. Is this correct? The HTTP message contains some field to
 indicate that length, right?

 But for DNP3 analyzer, this is not possible. I know the length of the
 whole logical DNP3 fragment only when the last trunk is received. To
 better explained

 TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
 Transport Layer : DNP3 Pseudo Application Layer #1
 TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
 Transport Layer : DNP3 Pseudo Application Layer #2
 ....
 TCP : DNP3 Pseudo Data Link Layer (length field is x) : DNP3 Pseudo Data
 Transport Layer : DNP3 Pseudo Application Layer #n

 So the length field in the Pseudo Data Link does not contain the length of
 the whole DNP3 fragment, but the length of the trunk following this data
 link layer. So in order to know the whole length of the DNP3 fragment (in
 this case is , 255 + 255 + ... + x), all the application layer trunk has
 to be received. So is there any way to use incremental parsing in the
 binpac in this case?

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:13>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list