[Bro-Dev] #861: Merging DNP3 Analyzer
Bro Tracker
bro at tracker.bro-ids.org
Sat Oct 6 18:30:37 PDT 2012
#861: Merging DNP3 Analyzer
---------------------+------------------------
Reporter: hui | Owner: robin
Type: Task | Status: assigned
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords: dnp3
---------------------+------------------------
Comment (by hui):
Replying to [comment:12 seth]:
> > I think what you said is the "incremental parsing"
> > mentioned in the binpac paper. But actually, I am not quite sure how
this
> > is implemented in the binpac. Can you please direct me to some codes
that
> > I refer to?
>
> It's actually not something you even need to worry about. Just
instantiate your binpac parser and begin passing data into it as you
receive it, the binpac parser will take care of the data even if it
doesn't receive the full PDU in one go.
Just come up another question. When a HTTP fragment is very long and
carried in different network packets, the HTTP binpac analyzer should know
the length of the whole fragment when the first application layer trunk is
received. Is this correct? The HTTP message contains some field to
indicate that length, right?
But for DNP3 analyzer, this is not possible. I know the length of the
whole logical DNP3 fragment only when the last trunk is received. To
better explained
TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
Transport Layer : DNP3 Pseudo Application Layer #1
TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
Transport Layer : DNP3 Pseudo Application Layer #2
....
TCP : DNP3 Pseudo Data Link Layer (length field is x) : DNP3 Pseudo Data
Transport Layer : DNP3 Pseudo Application Layer #n
So the length field in the Pseudo Data Link does not contain the length of
the whole DNP3 fragment, but the length of the trunk following this data
link layer. So in order to know the whole length of the DNP3 fragment (in
this case is , 255 + 255 + ... + x), all the application layer trunk has
to be received. So is there any way to use incremental parsing in the
binpac in this case?
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:13>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list