[Bro-Dev] BinPac - Many repeated messages in the same packet

Fernandez, Mark I mfernandez at mitre.org
Thu Oct 26 03:55:00 PDT 2017


Aaron,

>> I have a protocol that loads a given TCP packet with as many publish
>> messages as possible in a worst case scenario - often it just has a
>> single message, but it is not guaranteed. When a publish message
>> contains more than one subsequent message, there is not an indicator
>> that another message follows.

Perhaps try something like this:

type SPROTO_messages = SPROTO_message[]
&until($input.length() == 0); # or some appropriate terminating condition

Type SPROTO_message = record {
    thdr	    : uint8;
    hdrlen          : uint8;
    variable_header : case msg_type of {
        SPROTO_CONNECT     -> connect_packet      : SPROTO_connect(hdrlen);
        SPROTO_SUBSCRIBE   -> subscribe_packet    : SPROTO_subscribe(hdrlen);
        SPROTO_SUBACK      -> suback_packet       : SPROTO_suback(hdrlen);
        SPROTO_PUBLISH     -> publish_packet      : SPROTO_publish(hdrlen);
        SPROTO_UNSUBSCRIBE -> unsubscribe_packet  : SPROTO_unsubscribe(hdrlen);
        default            -> none                : empty;
    };
} &let {
    msg_type        : uint8 = (thdr  >>  4);
};


Mark



More information about the bro-dev mailing list