[Bro-Dev] Writing analyzer for Siemens PLC
Dane Wullen
dane.wullen at alumni.fh-aachen.de
Fri May 4 02:33:47 PDT 2018
Hey Robin,
thanks for you answer. I will look through this files and see if I can
use this kind of reassembling.
> If with "payload" you mean the raw bytes, you would pass that as a
> string into the event. But it's hard to do much with raw data that in
> script-land. The common way would be instead creating one event per
> type of payload and then raising the corresponding event as you parse
> packets and find out what's in there.
No, I don't just want to put the whole data as a string into the event.
Well, seems like I have to define a lot of different events and/or bro
types (I don't know how many data types there are in total).
Thanks alot.
Dane
Am 04.05.2018 um 03:16 schrieb Robin Sommer:
>
> On Wed, May 02, 2018 at 22:22 +0200, you wrote:
>
>> 1) Reassembling packets: Some S7CommPlus packets which payload is over a
>> certain amount of bytes will be split and need to be reassembled.
> As a couple quick pointers, the DNP3 and DTLS analyzers face a similar
> task, you might find some ideas there.
>
>> If I want to generate a Bro events which contains the payload as a
>> parameter, how do I do that?
> If with "payload" you mean the raw bytes, you would pass that as a
> string into the event. But it's hard to do much with raw data that in
> script-land. The common way would be instead creating one event per
> type of payload and then raising the corresponding event as you parse
> packets and find out what's in there.
>
> Robin
>
More information about the bro-dev
mailing list