[Bro-Dev] #861: Merging DNP3 Analyzer

Hui Lin (Hugo) hlin33 at illinois.edu
Fri Oct 26 11:15:51 PDT 2012 

HI, Robin,

Can you please take a look at current version of the codes. I added
documentation on the analyzer.

The work that left undone so far is
(1) so far, we support logic DNP3 application layer fragment as long as
65536.
(2) documentation on protocol validation policy, the policy that checks
some rules defined by DNP3 protocols

Best,

Hui Lin

On Sat, Oct 6, 2012 at 8:30 PM, Bro Tracker <bro at tracker.bro-ids.org> wrote:

> #861: Merging DNP3 Analyzer
> ---------------------+------------------------
>   Reporter:  hui     |      Owner:  robin
>       Type:  Task    |     Status:  assigned
>   Priority:  Normal  |  Milestone:  Bro2.2
>  Component:  Bro     |    Version:  git/master
> Resolution:          |   Keywords:  dnp3
> ---------------------+------------------------
>
> Comment (by hui):
>
>  Replying to [comment:12 seth]:
>  > > I think what you said is the "incremental parsing"
>  > > mentioned in the binpac paper. But actually, I am not quite sure how
>  this
>  > > is implemented in the binpac. Can you please direct me to some codes
>  that
>  > > I refer to?
>  >
>  > It's actually not something you even need to worry about.  Just
>  instantiate your binpac parser and begin passing data into it as you
>  receive it, the binpac parser will take care of the data even if it
>  doesn't receive the full PDU in one go.
>
>  Just come up another question. When a HTTP fragment is very long and
>  carried in different network packets, the HTTP binpac analyzer should know
>  the length of the whole fragment when the first application layer trunk is
>  received. Is this correct? The HTTP message contains some field to
>  indicate that length, right?
>
>  But for DNP3 analyzer, this is not possible. I know the length of the
>  whole logical DNP3 fragment only when the last trunk is received. To
>  better explained
>
>  TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
>  Transport Layer : DNP3 Pseudo Application Layer #1
>  TCP : DNP3 Pseudo Data Link Layer (length field is 255) : DNP3 Pseudo Data
>  Transport Layer : DNP3 Pseudo Application Layer #2
>  ....
>  TCP : DNP3 Pseudo Data Link Layer (length field is x) : DNP3 Pseudo Data
>  Transport Layer : DNP3 Pseudo Application Layer #n
>
>  So the length field in the Pseudo Data Link does not contain the length of
>  the whole DNP3 fragment, but the length of the trunk following this data
>  link layer. So in order to know the whole length of the DNP3 fragment (in
>  this case is , 255 + 255 + ... + x), all the application layer trunk has
>  to be received. So is there any way to use incremental parsing in the
>  binpac in this case?
>
> --
> Ticket URL: <http://tracker.bro-ids.org/bro/ticket/861#comment:13>
> Bro Tracker <http://tracker.bro-ids.org/bro>
> Bro Issue Tracker
>



-- 
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121026/c4d5eb29/attachment.html

More information about the bro-dev mailing list