[Bro-Dev] bro and DNP3 decoder

Jeff Barber jbarber at computer.org
Wed Feb 10 14:02:05 PST 2016 

Thanks a lot for the response. That makes sense. If I find some packet
captures for this stuff, I will share them if I can.

On Wed, Feb 10, 2016 at 4:46 PM, Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Hi Jeff,
>
> I think in the current master, we do support the function code of "write"
> in the master branch, but not the type of objects used in the given pcap
> file. In that development branch you mentioned, I think I added as many as
> event handlers I can. But we could not merge them into the master branch,
> as at that time, we could not find any sufficient test pcap files that can
> trigger the event handlers. Probably it is the time for me to search again
> for the test pcap files again from the Internet. The pacp that you provide
> may not be used as a test case, as it looks like a truncated communication,
> i.e., a request without responses. If you have any test pcap, feel free to
> share with us if that is appropriate for you. Also, if you need to use
> these event handlers, I think that you can also go for that development
> branch. And also feel free to let me know if there is any bug in that
> branch, I can work to fix them.
>
> Best,
>
> Hui Lin
>
>
>
> On Tue, Feb 9, 2016 at 5:19 PM, Jeff Barber <jbarber at computer.org> wrote:
>
>>
>> It's only particular object types and especially those in the *request*
>> that I'm referring to. I do see response objects fine. I wish I had better
>> pcaps to share, but I'm having trouble finding those myself. :)
>>
>>
>> I have attached one I found on the web which, according to wireshark, has
>> a single write of object type 50, variation 01. It produces these events:
>>
>> header_block, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
>> resp_p=20000/tcp, vlan=0, inner_vlan=0], T, Start, 25605, Len, 18, Ctrl,
>> 196, Dst, 3, Src, 4
>> application_request_header, [orig_h=127.0.0.1, orig_p=37712/tcp,
>> resp_h=127.0.0.1, resp_p=20000/tcp, vlan=0, inner_vlan=0], T, App, 193, FC,
>> 2
>> object_header, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
>> resp_p=20000/tcp, vlan=0, inner_vlan=0], T, OT, 12801, Qua, 7, Num, 1, RF,
>> 1, 0
>> object_prefix, [orig_h=127.0.0.1, orig_p=37712/tcp, resp_h=127.0.0.1,
>> resp_p=20000/tcp, vlan=0, inner_vlan=0], T, PREF, 0
>>
>> (Mnemonics included except for the first two fields which are always c$id
>> and is_orig.)
>>
>> but there's no event giving the content of that object type.
>>
>>
>> I'm not getting any error messages, but just in looking at the .pac files
>> in the dnp3 directory, I see the code apparently parsing all the unique
>> types below, but it doesn't seem to be generating events for any of them.
>> At least some of those *do* seem to have had events generated for them in
>> that dnp3-events branch code.
>>
>> AnaOutStatus32
>> AnaOutStatus16
>> AnaOutStatusSP
>> AnaOutStatusDP
>> AnaOut32
>> AnaOut16
>> AnaOutSP
>> AnaOutDP
>> AnaOutEve32woTime
>> AnaOutEve16woTime
>> AnaOutEve32wTime
>> AnaOutEve16wTime
>> AnaOutEveSPwoTime
>> AnaOutEveDPwoTime
>> AnaOutEveSPwTime
>> AnaOutEveDPwTime
>>
>>
>> Thanks.
>>
>>
>> On Tue, Feb 9, 2016 at 4:49 PM, Hui Lin (Hugo) <hlin33 at illinois.edu>
>> wrote:
>>
>>> ​Hi Jeff,
>>>
>>> I think the master branch should contain what we wrote before. I run
>>> some simple DNP3 test cases included in Bro from master branch and I do see
>>> the simple print out message.
>>>
>>> Does running your pcap generate any error message? Do you mind sharing
>>> the trace that you are using for me to take a look at what is going on?​
>>>
>>> Best,
>>>
>>> Hui Lin
>>>
>>> On Tue, Feb 9, 2016 at 3:04 PM, Jeff Barber <jbarber at computer.org>
>>> wrote:
>>>
>>>> Hi
>>>>
>>>> I'm trying to use bro for decoding DNP3 traffic and following the logic
>>>> through its parser to the various dnp3_xxx events. (The documentation on
>>>> how to use the DNP3 events is a bit light but I think I understand what's
>>>> happening.) When I try to follow the request objects logic (e.g. as you
>>>> might get from a DNP3 write command), I can't see how they're getting
>>>> output to the bro script layer at all. Most of them seem to simply dead-end
>>>> in the parser with no event generated.
>>>>
>>>> I spent a little while looking through the bro branches and came across
>>>> a branch called topics/hui/dnp3-events that _seems_ to have support for a
>>>> bunch of additional objects. It was last worked on in February 2014 but I
>>>> can't find any hint of it in the master branch.
>>>>
>>>> Just wondering if anyone can clarify. Am I misunderstanding how it
>>>> works? Or did the code in dnp3-events branch get lost? Or was it never
>>>> merged? Or never completed?
>>>>
>>>> Thanks!
>>>>
>>>> Addressing to Hui Lin but also including bro-dev in case someone else
>>>> knows the history.
>>>>
>>>>
>>>
>>>
>>> --
>>> Hui Lin
>>> PhD Candidate (http://hlin33.web.engr.illinois.edu/)
>>> DEPEND (http://depend.csl.illinois.edu/)
>>> ECE, Uni. of Illinois at Urbana-Champaign
>>>
>>>
>>
>
>
> --
> Hui Lin
> PhD Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160210/a830ad70/attachment.html

More information about the bro-dev mailing list