[Bro] segmentation fault by adding an analyzer to port 80

Eric Asselin Eric.Asselin at usherbrooke.ca
Wed Apr 10 01:05:28 PDT 2013


I think I've found why it doesn't work. When the inital tree of the DPD
is build, the transport layer is hardcoded within a switch so further
analyzer started by it's corresponding PIA (for UDP and TCP only) should
derive from the corresponding class to work properly. So an analyzer
itself can't act regardless of the transport layer.

In this case, for an analyzer to support both transport layer protocols,
it should derive TCP_ApplicationAnalyzer class and "extract or compute"
packet like the DNS Analyzer does.

Le 13-04-05 23:05, Eric Asselin a écrit :
> I try the same code but with the use of a signature to trigger my
> analyzer which worked, but again at the end I have the same
> "segmentation fault". If I derive the analyzer with
> TCP_ApplicationAnalyzer instead of just Analyzer and still use
> DeliverPacket(), the "seg fault" disappear.
>
> But in fact, I don't care about TCP connection stream, I just want the
> analyzer to be triggered regardless of the transport layer... and
> process the packet.
>
>
> Le 13-04-04 17:48, Siwek, Jonathan Luke a écrit :
>> On Apr 4, 2013, at 4:15 AM, Eric Asselin <Eric.Asselin at usherbrooke.ca>
>>  wrote:
>>
>>> When I force the anaylzer to be activated by modifying the DPM.cc, everything works well. But when I try to activate it by using a Bro script, like this: 
>>>
>>>     global foo_ports: set[port] = { 80/tcp } &redef;
>>>     redef dpd_config += { [ANALYZER_MYPROTO] = [$ports = foo_ports] };
>>>
>>> a segmentation fault appear at the end of the script.
>> I don't think there's a way to attach packet-based analyzers to TCP connections like that, so manually adding it in DPM.cc via TCP_Analyzer::AddChildPacketAnalyzer() for the ports you want may be the right thing.
>>
>> But if what you really wanted is a stream-based analyzer (it only sees the content after TCP reassembly), you can derive from TCP_ApplicationAnalyzer instead of Analyzer and override DeliverStream() instead of DeliverPacket().  Then the dpd_config redef you had should work.
>>
>> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>




More information about the Bro mailing list