[Bro] Protocols in protocols
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Mar 26 11:34:34 PDT 2014
On Mar 26, 2014, at 11:49 AM, Thomas, Eric D <edthoma at sandia.gov> wrote:
> I’m writing an analyzer for a few protocols which may or may not be layered. That is, a packet may be IP|TCP|ProtoA|ProtoB, or IP|TCP|ProtoC|ProtoB, or IP|TCP|ProtoB, and perhaps other variations. I envision writing separate protocol analyzers for each of those protocols instead of having to account for all the variations in one protocol analyzer. Does Bro/binPAC allow for this, and if so how? If it makes a difference, in this case most of the protocols cannot have useful DPD signatures.
For protocols that sit inside a transport protocol (TCP/UDP), it’s typical to write a DPD signature and/or have a script that calls [1] to have Bro automatically instantiate and manage an analyzer for the inner protocol (e.g. Proto{A,B,C}). If those may encapsulate a known application-layer protocol, then it may just be a matter of putting code inside those outer analyzers to do their own instantiation/management of some inner analyzer (e.g. ProtoB) and feed it the appropriate data. But if the inner protocol can be another IPv4/IPv6 packet or an arbitrary application-layer protocol, it needs a different treatment. I can elaborate if that's the situation.
- Jon
[1] http://bro.org/sphinx/scripts/base/frameworks/analyzer/main.html#id-Analyzer::register_for_ports
More information about the Bro
mailing list