[Bro-Dev] bro and DNP3 decoder

Jeff Barber jbarber at computer.org
Tue Feb 9 13:04:43 PST 2016


Hi

I'm trying to use bro for decoding DNP3 traffic and following the logic
through its parser to the various dnp3_xxx events. (The documentation on
how to use the DNP3 events is a bit light but I think I understand what's
happening.) When I try to follow the request objects logic (e.g. as you
might get from a DNP3 write command), I can't see how they're getting
output to the bro script layer at all. Most of them seem to simply dead-end
in the parser with no event generated.

I spent a little while looking through the bro branches and came across a
branch called topics/hui/dnp3-events that _seems_ to have support for a
bunch of additional objects. It was last worked on in February 2014 but I
can't find any hint of it in the master branch.

Just wondering if anyone can clarify. Am I misunderstanding how it works?
Or did the code in dnp3-events branch get lost? Or was it never merged? Or
never completed?

Thanks!

Addressing to Hui Lin but also including bro-dev in case someone else knows
the history.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160209/c9503b9a/attachment.html 


More information about the bro-dev mailing list