[Bro-Dev] BinPac - Many repeated messages in the same packet
Fernandez, Mark I
mfernandez at mitre.org
Thu Oct 26 03:55:00 PDT 2017
Aaron,
>> I have a protocol that loads a given TCP packet with as many publish
>> messages as possible in a worst case scenario - often it just has a
>> single message, but it is not guaranteed. When a publish message
>> contains more than one subsequent message, there is not an indicator
>> that another message follows.
Perhaps try something like this:
type SPROTO_messages = SPROTO_message[]
&until($input.length() == 0); # or some appropriate terminating condition
Type SPROTO_message = record {
thdr : uint8;
hdrlen : uint8;
variable_header : case msg_type of {
SPROTO_CONNECT -> connect_packet : SPROTO_connect(hdrlen);
SPROTO_SUBSCRIBE -> subscribe_packet : SPROTO_subscribe(hdrlen);
SPROTO_SUBACK -> suback_packet : SPROTO_suback(hdrlen);
SPROTO_PUBLISH -> publish_packet : SPROTO_publish(hdrlen);
SPROTO_UNSUBSCRIBE -> unsubscribe_packet : SPROTO_unsubscribe(hdrlen);
default -> none : empty;
};
} &let {
msg_type : uint8 = (thdr >> 4);
};
Mark
More information about the bro-dev
mailing list