[Bro] spicy docker image - type parsing oddity

Troy Jordan troyj at maine.edu
Fri Nov 6 12:39:35 PST 2015 

So, this is easy to fix. I figured out that once a field name gets
typed, it can only appear again with the same type. Makes perfect sense.

So this snippet would work:

switch ( self.fcode ) {
    b"0x01" -> data1: CoilPDU;
    b"0x03" -> data2: HregisterPDU;
    }

and so would this:

switch ( self.fcode ) {
    b"0x01" -> data1: CoilPDU;
    b"0x03" -> data1: CoilPDU;
    }

but not this one which reuses the 'data' fieldname but with different types:

switch ( self.fcode ) {
    b"0x01" -> data: CoilPDU;
    b"0x03" -> data: HregisterPDU;
    }

- Troy

On 11/5/2015 11:10 PM, Troy Jordan wrote:
> Hello,
>
> I'm uncertain if I've run into an issue peculiar to the spicy docker
> image (which should be the latest - 247ea5070b15), or if this is syntax
> problem.
>
> In a basic modbus parser (attached : .pac2, .evt, .bro and modbus trace
> file) , the Message definition throws an error when executing as:
>
>  root# bro -r modbus_part1.3.pcap modbus.evt modbus.bro
>
>>>> struct.set __self "data" ref<MODBUS::DinputsPdu>()
> <no location>:: error, operand type ref<MODBUS::DinputsPdu> is not
> compatible with type ref<MODBUS::CoilsPdu> [pass::hilti::Validator]
>
> However,  ALT Message definition works fine. In fact, if I parse the
> data field with the same type (ie both with type CoilsPdu or both with
> type DinputsPdu) it works, which is puzzling.
>
> The idea is to parse different modbus function codes as different types
> to enable raising type-specific events.
>
> Any insights appreciated.
>
> - Troy
>
>
>
>
>
>
>

-- 


                     	  Troy Jordan 
                   t r o y j @ m a i n e . e d u
			   GIAC GCIH,GCIA
------------------------------------------------------------
                Network Systems Security Analyst
             Information Technology Security Office
                    University of Maine System
------------------------------------------------------------
233 Science Building           |     voice: 207.561.3590
Portland, ME 04103             |     fax:   509.351.3650



"As you all know, Security Is Mortals chiefest Enemy"
 William Shakespeare, Macbeth


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

More information about the Bro mailing list