[Bro] invoking the "protocol_confirmation" event

Earl Eiland earl.eiland at root9b.com
Mon Jul 13 05:26:25 PDT 2015


I believe I'm using the updated bro code.  My source pcap has MODBUS traffic, and there are three MODBUS logs: modbus, known_modbus and modbus_register_change, my earlier bro only output modbus.log.  However, MODBUS does not appear to be picked up by protocol_confirmation.  When I run the test script

event protocol_confirmation(c: connection , atype: Analyzer::Tag , aid: count )
    {
    print atype;
    }

The output is
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_DNS

Earl

-----Original Message-----
From: Johanna Amann [mailto:johanna at icir.org] 
Sent: Friday, July 10, 2015 4:36 PM
To: Earl Eiland
Cc: bro at bro.org
Subject: Re: [Bro] invoking the "protocol_confirmation" event

On Fri, Jul 10, 2015 at 09:08:40PM +0000, Earl Eiland wrote:
> I'm working on cataloging service-level protocols seen on a network.
> event.bif.bro lists "protocol_confirmation: event(c: connection , atype:
> Analyzer::Tag , aid: count)", which seems to be just the ticket.
> However, it is not invoked by some of the protocol analyzers of 
> interest (e.g., MODBUS/TCP).  It is invoked by DNS, but I don't see it 
> in /scripts/base/protocols/dns/main.bro<https://www.bro.org/sphinx/_downloads/main25.bro>.
> How do I modify the other protocol analyzer scripts to invoke 
> protocol_confirmation?

You do not see the event being raised in scriptland, because it is generated by Bro when the C++ or binpac code (in
src/analyzers/protocols/*) calls ProtocolConfirmation(); or bro_analyzer()->ProtocolConfirmation(); to confirm that it is parsing the correct protocol, after it parses enough data to be sure about it.

That function call wass missing from the modbus analyzer; it has been added to bro master a few days ago and should be raised there now too.

TCP/UDP do not raise it currently -- I think the justification for this is that in the case of TCP and UDP Bro does not really detect the protocol, but it is given directly in the IP information (i.e. -- if the IP header says that it is TCP, Bro just believes it).

Johanna



More information about the Bro mailing list