[Bro] initial buffer length

Hui Lin (Hugo) hlin33 at illinois.edu
Thu May 28 08:21:51 PDT 2015 

HI Abdelkarim,

Probably you should try to use the basic data type such as using int for
"type" and "chunk" instead of using the bytestring (even with the length
defined). I remember that the bytestring did not work for my case either. I
don't remember the reason in details now, but I remember that it is related
to how Binpac compiler is implemented.

Best,

Hui Lin





On Thu, May 28, 2015 at 3:44 AM, Abdelkarim benkhadra <
a.benkhadra at hotmail.com> wrote:

>  hi hui,
> thanks for your answer.
>
> i tryed the DNP3 way still does not work,
>
> type myproto_Header = record {
>   type: bytestring &length=3;
>   chunk: bytestring &length=1,
>   msgSize: uint16;
> };
>
> type myproto_req = record {
>   hdr: myproto_Header;
>   data: case (hdr.type) of {
>       //some records;
>   };
> }&length = hdr.msgSize;
>
> the length of records in the "case" is specified for each one.
> still get the same error.
>
>  ------------------------------
> From: hlin33 at illinois.edu
> Date: Wed, 27 May 2015 10:02:53 -0500
> Subject: Re: [Bro] initial buffer length
> To: a.benkhadra at hotmail.com
> CC: bro at bro.org
>
>
>  Hi Abdelkarim,
>
>  In the myproto_Header, do you have some definitions of records before
> msgSize (whose length is not explicitly specified)? If that is the case,
> BinPac cannot decide the initial length in order to locate msgSize.
>
>  You may refer the DNP3 analyzer that I wrote in a similar way.
>
>
>  type Header_Block = record {
>         start: uint16 &check(start == 0x0564);
>         len: uint8;
>         ctrl: uint8;
>         dest_addr: uint16;
>         src_addr: uint16;
>  } &byteorder = littleendian;
>
>  type DNP3_Request = record {
>          addin_header: Header_Block;  ## added by Hui Lin in Bro code
>          ....
>  } &byteorder = bigendian
>    &length= 9 + addin_header.len - 5 - 1;
>
>
>   ​Hope this helps.
>
>  Best,
>
>  Hui Lin​
>
>   ​​
>
>  On Wed, May 27, 2015 at 6:52 AM, Abdelkarim benkhadra <
> a.benkhadra at hotmail.com> wrote:
>
>  Hi,
>
> in myproto-protocol.pac, i have:
>
> type myproto_PDU(is_orig: bool) = record {
>   header: myproto_Header;
>   //restofdefinition;
> } &length=header.msgSize;
>
> type myproto_Header = record {
>   //some fields;
>   msgSize: uint16;
>   //restoffields;
> };
> msgSize represents the length of the PDU.
> and when "make"ing bro i get "cannot determine initial buffer length for
> type myproto_PDU".
> i tryed some random values like &length=60 and it works fine.
> i took the modbus analyzer as an exemple to write myproto analyzer but
> without success.
> any ideas?
>
>
>
>
>  --
> Hui Lin
> PhD Candidate, Research Assistant
> Electrical and Computer Engineering Department
> University of Illinois at Urbana-Champaign
>



-- 
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150528/fa1f5a28/attachment.html

More information about the Bro mailing list