[Bro] spicy docker image - type parsing oddity
Troy Jordan
troyj at maine.edu
Fri Nov 6 12:39:35 PST 2015
So, this is easy to fix. I figured out that once a field name gets
typed, it can only appear again with the same type. Makes perfect sense.
So this snippet would work:
switch ( self.fcode ) {
b"0x01" -> data1: CoilPDU;
b"0x03" -> data2: HregisterPDU;
}
and so would this:
switch ( self.fcode ) {
b"0x01" -> data1: CoilPDU;
b"0x03" -> data1: CoilPDU;
}
but not this one which reuses the 'data' fieldname but with different types:
switch ( self.fcode ) {
b"0x01" -> data: CoilPDU;
b"0x03" -> data: HregisterPDU;
}
- Troy
On 11/5/2015 11:10 PM, Troy Jordan wrote:
> Hello,
>
> I'm uncertain if I've run into an issue peculiar to the spicy docker
> image (which should be the latest - 247ea5070b15), or if this is syntax
> problem.
>
> In a basic modbus parser (attached : .pac2, .evt, .bro and modbus trace
> file) , the Message definition throws an error when executing as:
>
> root# bro -r modbus_part1.3.pcap modbus.evt modbus.bro
>
>>>> struct.set __self "data" ref<MODBUS::DinputsPdu>()
> <no location>:: error, operand type ref<MODBUS::DinputsPdu> is not
> compatible with type ref<MODBUS::CoilsPdu> [pass::hilti::Validator]
>
> However, ALT Message definition works fine. In fact, if I parse the
> data field with the same type (ie both with type CoilsPdu or both with
> type DinputsPdu) it works, which is puzzling.
>
> The idea is to parse different modbus function codes as different types
> to enable raising type-specific events.
>
> Any insights appreciated.
>
> - Troy
>
>
>
>
>
>
>
--
Troy Jordan
t r o y j @ m a i n e . e d u
GIAC GCIH,GCIA
------------------------------------------------------------
Network Systems Security Analyst
Information Technology Security Office
University of Maine System
------------------------------------------------------------
233 Science Building | voice: 207.561.3590
Portland, ME 04103 | fax: 509.351.3650
"As you all know, Security Is Mortals chiefest Enemy"
William Shakespeare, Macbeth
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the Bro
mailing list