[Bro-Dev] bro and DNP3 decoder

Tue Feb 9 15:19:28 PST 2016

It's only particular object types and especially those in the *request*
that I'm referring to. I do see response objects fine. I wish I had better
pcaps to share, but I'm having trouble finding those myself. :)

I have attached one I found on the web which, according to wireshark, has a
single write of object type 50, variation 01. It produces these events:

header_block, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
resp_p=20000/tcp, vlan=0, inner_vlan=0], T, Start, 25605, Len, 18, Ctrl,
196, Dst, 3, Src, 4
application_request_header, [orig_h=127.0.0.1, orig_p=37712/tcp,
resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, App, 193, FC,
2
object_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
resp_p=20000/tcp, vlan=0, inner_vlan=0], T, OT, 12801, Qua, 7, Num, 1, RF,
1, 0
object_prefix, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
resp_p=20000/tcp, vlan=0, inner_vlan=0], T, PREF, 0

(Mnemonics included except for the first two fields which are always c$id
and is_orig.)

but there's no event giving the content of that object type.

I'm not getting any error messages, but just in looking at the .pac files
in the dnp3 directory, I see the code apparently parsing all the unique
types below, but it doesn't seem to be generating events for any of them.
At least some of those *do* seem to have had events generated for them in
that dnp3-events branch code.

AnaOutStatus32
AnaOutStatus16
AnaOutStatusSP
AnaOutStatusDP
AnaOut32
AnaOut16
AnaOutSP
AnaOutDP
AnaOutEve32woTime
AnaOutEve16woTime
AnaOutEve32wTime
AnaOutEve16wTime
AnaOutEveSPwoTime
AnaOutEveDPwoTime
AnaOutEveSPwTime
AnaOutEveDPwTime

Thanks.

On Tue, Feb 9, 2016 at 4:49 PM, Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Hi Jeff,
>
> I think the master branch should contain what we wrote before. I run some
> simple DNP3 test cases included in Bro from master branch and I do see the
> simple print out message.
>
> Does running your pcap generate any error message? Do you mind sharing the
> trace that you are using for me to take a look at what is going on?
>
> Best,
>
> Hui Lin
>
> On Tue, Feb 9, 2016 at 3:04 PM, Jeff Barber <jbarber at computer.org> wrote:
>
>> Hi
>>
>> I'm trying to use bro for decoding DNP3 traffic and following the logic
>> through its parser to the various dnp3_xxx events. (The documentation on
>> how to use the DNP3 events is a bit light but I think I understand what's
>> happening.) When I try to follow the request objects logic (e.g. as you
>> might get from a DNP3 write command), I can't see how they're getting
>> output to the bro script layer at all. Most of them seem to simply dead-end
>> in the parser with no event generated.
>>
>> I spent a little while looking through the bro branches and came across a
>> branch called topics/hui/dnp3-events that _seems_ to have support for a
>> bunch of additional objects. It was last worked on in February 2014 but I
>> can't find any hint of it in the master branch.
>>
>> Just wondering if anyone can clarify. Am I misunderstanding how it works?
>> Or did the code in dnp3-events branch get lost? Or was it never merged? Or
>> never completed?
>>
>> Thanks!
>>
>> Addressing to Hui Lin but also including bro-dev in case someone else
>> knows the history.
>>
>>
>
>
> --
> Hui Lin
> PhD Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160209/f411fa03/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DNP3-Write.pcap
Type: application/octet-stream
Size: 610 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160209/f411fa03/attachment.obj 