[Bro] Follow up on invoking the "protocol_confirmation" event

Earl Eiland earl.eiland at root9b.com
Wed Jul 15 05:19:30 PDT 2015

Just in case my bro version did not include the fix you mentioned, Johanna, I updated bro yesterday and re-ran the test.  My output was the same as before.  I followed up with a test on a pcap with DNP3 traffic.  My test script output included "Analyzer::ANALYZER_DNP3_TCP".  It appears that for whatever reason, there may still be a disconnect between the MODBUS analyzer and ProtocolConfirmation().


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Earl Eiland
Sent: Monday, July 13, 2015 7:26 AM
To: Johanna Amann
Cc: bro at bro.org
Subject: Re: [Bro] invoking the "protocol_confirmation" event

I believe I'm using the updated bro code.  My source pcap has MODBUS traffic, and there are three MODBUS logs: modbus, known_modbus and modbus_register_change, my earlier bro only output modbus.log.  However, MODBUS does not appear to be picked up by protocol_confirmation.  When I run the test script

event protocol_confirmation(c: connection , atype: Analyzer::Tag , aid: count )
    print atype;

The output is


-----Original Message-----
From: Johanna Amann [mailto:johanna at icir.org]
Sent: Friday, July 10, 2015 4:36 PM
To: Earl Eiland
Cc: bro at bro.org
Subject: Re: [Bro] invoking the "protocol_confirmation" event

On Fri, Jul 10, 2015 at 09:08:40PM +0000, Earl Eiland wrote:
> I'm working on cataloging service-level protocols seen on a network.
> event.bif.bro lists "protocol_confirmation: event(c: connection , atype:
> Analyzer::Tag , aid: count)", which seems to be just the ticket.
> However, it is not invoked by some of the protocol analyzers of 
> interest (e.g., MODBUS/TCP).  It is invoked by DNS, but I don't see it 
> in /scripts/base/protocols/dns/main.bro<https://www.bro.org/sphinx/_downloads/main25.bro>.
> How do I modify the other protocol analyzer scripts to invoke 
> protocol_confirmation?

You do not see the event being raised in scriptland, because it is generated by Bro when the C++ or binpac code (in
src/analyzers/protocols/*) calls ProtocolConfirmation(); or bro_analyzer()->ProtocolConfirmation(); to confirm that it is parsing the correct protocol, after it parses enough data to be sure about it.

That function call wass missing from the modbus analyzer; it has been added to bro master a few days ago and should be raised there now too.

TCP/UDP do not raise it currently -- I think the justification for this is that in the case of TCP and UDP Bro does not really detect the protocol, but it is given directly in the IP information (i.e. -- if the IP header says that it is TCP, Bro just believes it).


Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list