[Bro-Dev] bro and DNP3 decoder

Hui Lin (Hugo) hlin33 at illinois.edu
Tue Feb 9 13:49:25 PST 2016


​Hi Jeff,

I think the master branch should contain what we wrote before. I run some
simple DNP3 test cases included in Bro from master branch and I do see the
simple print out message.

Does running your pcap generate any error message? Do you mind sharing the
trace that you are using for me to take a look at what is going on?​

Best,

Hui Lin

On Tue, Feb 9, 2016 at 3:04 PM, Jeff Barber <jbarber at computer.org> wrote:

> Hi
>
> I'm trying to use bro for decoding DNP3 traffic and following the logic
> through its parser to the various dnp3_xxx events. (The documentation on
> how to use the DNP3 events is a bit light but I think I understand what's
> happening.) When I try to follow the request objects logic (e.g. as you
> might get from a DNP3 write command), I can't see how they're getting
> output to the bro script layer at all. Most of them seem to simply dead-end
> in the parser with no event generated.
>
> I spent a little while looking through the bro branches and came across a
> branch called topics/hui/dnp3-events that _seems_ to have support for a
> bunch of additional objects. It was last worked on in February 2014 but I
> can't find any hint of it in the master branch.
>
> Just wondering if anyone can clarify. Am I misunderstanding how it works?
> Or did the code in dnp3-events branch get lost? Or was it never merged? Or
> never completed?
>
> Thanks!
>
> Addressing to Hui Lin but also including bro-dev in case someone else
> knows the history.
>
>


-- 
Hui Lin
PhD Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160209/e7b00e0c/attachment.html 


More information about the bro-dev mailing list