[Bro] using binpac for protocol parser

Emmanuel TORQUATO Emmanuel.TORQUATO at monext.net
Tue Jan 20 03:45:59 PST 2015 

Hello All,

I would like to use binpac for protocol analyzer creation. The protocol is called cb2a, it's a bank exchange protocol.
I find very few sources which explains the way of building analyzers using binpac from scratch. The only ones I have are  "binpac: A yacc for writing application protocol Parsers" and the sample-message example.
However, I have been able to use binpac for file creation .cc and .h.
When adding the new folder in /usr/src/bro/src/analyzer/protocol/cb2a in the CMakeLists.txt with the below files and doing ./configure and then make, I have the error

"Linking CXX executable bro
CMakeFiles/bro.dir/plugins.cc.o: In function `__make_sure_to_use_plugin_globals()':
/usr/src/bro-2.3/build/src/plugins.cc:69: undefined reference to `plugin::Bro_Cb2a::__plugin'
"

There is something to do with file Plugin.cc but I don't know what... this file is not generated by binpac, so I have done one, but still the same issue.

Anyone can help me please?

Files:

##
Plugin.cc
##
#include "plugin/Plugin.h"

#include "cb2a_pac.h"

BRO_PLUGIN_BEGIN(Bro, Cb2a)
        BRO_PLUGIN_DESCRIPTION("Cb2a analyzer");
        BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

##
Cb2a.pac
##
%include binpac.pac
%include bro.pac

%extern{
#include "events.bif.h"
%}


analyzer cb2a withcontext {
        connection:     cb2a_Conn;
        flow:   cb2a_Flow;
};

%include cb2a-protocol.pac
%include cb2a-analyzer.pac

##
Cb2a-analyzer.pac
##

connection cb2a_Conn(bro_analyzer: BroAnalyzer) {
        upflow = cb2a_Flow(true);
        downflow = cb2a_Flow(false);
};

flow cb2a_Flow(is_orig: bool) {
        flowunit = CB2A_Header withcontext (connection, this);

        function deliver_message(length: uint32): bool
                %{
                if ( ::cb2a_header )
                        {
                        BifEvent::generate_cb2a_header(
                                connection()->bro_analyzer(),
                                connection()->bro_analyzer()->Conn(),
                                is_orig(), length);
                        }

                return true;
                %}
};

##
CB2A-protocol.pac
##
type CB2A_Header = record {
        length: uint32;
        pgi_field: uint8 &check(pgi_field == 0xc1 || pgi_field == 0xc2 || pgi_field == 0xc3 || pgi_field == 0xc4);
        lgi_length: uint8;
        after_length: uint8[length - 2];
        } &byteorder = bigendian &length = msg_length &let {
        msg_length: int = length + 4;
        deliver: bool = $context.flow.deliver_message(length);
        };
##
Events.bif
##
event cb2a_header%(c: connection, is_orig: bool, length: count%);

Regards,

Emmanuel Torquato

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150120/7b338218/attachment-0001.html

More information about the Bro mailing list