[Bro] ssl binpac analyzer -- patches
Ruoming Pang
rpang at cs.princeton.edu
Thu May 31 18:18:01 PDT 2007
On 5/31/07, jmzhou.ml at gmail.com <jmzhou.ml at gmail.com> wrote:
> Yes, the changes work well at my side.
>
> Some problems of binpac:
>
> . Split binpac out of bro source tree.
That's actually happening. Please stay tuned. Also, if you have
recommendation on a fast regexp library with BSD-like license, please
let me know. Note that we do not need perl-like captures, but only the
longest match.
> I think to make binpac standalone
> makes testing/developing much easier. One can develop new analyzers and
> test them with dedicated .pcap files.
I agree likewise. In fact, one way to significantly improve testing in
binpac is to make a (proof-of-concept) script when an issue arises.
Such as in this case... By keeping this scripts around we can make
sure that old problems do not surface again.
> . Binpac does not support SunRPC over TCP now. There are four extra bytes
> prepended in RPC packets. Either TCP layer decoder should take care of
> these extra bytes, or the RPC decoder has to do something with it. In
> addition, &exportsourcedata is used in RPC/UDP decoder based on datagram
> mode. It is not supported by flowunit mode. This means, we cannot simply
> change the decoder from datagram mode to flowunit mode for RPC/TCP.
The way I imagine doing this is to consider RPC on TCP a trivial
lower-level protocol than RPC on UDP. For each RPC-on-TCP message, the
analyzer calls the datagram mode RPC analyzer's NewData() routine.
What do you think?
> Finally, a Ref call is missing in the NewCall function when a call already
> exists, and a Unref call is not correctly called in FinishCall.
This is a good point. Thanks for pointing it out!
Ruoming
More information about the Bro
mailing list