[Bro] spicy docker image - type parsing oddity

Thu Nov 5 20:10:54 PST 2015

Hello,

I'm uncertain if I've run into an issue peculiar to the spicy docker
image (which should be the latest - 247ea5070b15), or if this is syntax
problem.

In a basic modbus parser (attached : .pac2, .evt, .bro and modbus trace
file) , the Message definition throws an error when executing as:

 root# bro -r modbus_part1.3.pcap modbus.evt modbus.bro

>>> struct.set __self "data" ref<MODBUS::DinputsPdu>()
<no location>:: error, operand type ref<MODBUS::DinputsPdu> is not
compatible with type ref<MODBUS::CoilsPdu> [pass::hilti::Validator]

However,  ALT Message definition works fine. In fact, if I parse the
data field with the same type (ie both with type CoilsPdu or both with
type DinputsPdu) it works, which is puzzling.

The idea is to parse different modbus function codes as different types
to enable raising type-specific events.

Any insights appreciated.

- Troy

-- 

                     	  Troy Jordan
                   t r o y j @ m a i n e . e d u
			   GIAC GCIH,GCIA
------------------------------------------------------------
                Network Systems Security Analyst
             Information Technology Security Office
                    University of Maine System
------------------------------------------------------------
233 Science Building           |     voice: 207.561.3590
Portland, ME 04103             |     fax:   509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
 William Shakespeare, Macbeth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: modbus-parse-fail.tar
Type: application/octet-stream
Size: 10240 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151105/baaf507c/attachment.obj 