[Bro] Global array in context?

Luis Martin martin.liras at gmail.com
Fri Apr 29 07:21:10 PDT 2016 

Hi all,

I will repond to myself.

I finally got it to work modifying the connection class and adding the
array:

refine connection UmasTCP_Conn += {
        %member{
                int previous_fcs[256];
        %}
};


Adding a RESPONSE type that call to a function to recover the FC data from
the array:

type XXX{
(...)
} &let {
       (...)
       ufc: uint8 =
$context.connection.get_Previous_FC(header.Transport_id);
};

And writing two functions in the analyzer.pac file:

refine connection MyProtTCP_Conn += {
        (...)

        function get_Previous_FC(Transport_id: int): int
        %{
                return previous_fcs[tid%256];
        %}

        function SetTID_FC(transport_id:int, ufc:int): bool
        %{
                previous_fcs[transport_id%256]=ufc;

                return true;
        %}


The second one is called every time a message event is detected:

 function deliver_message(header: BinPAC_TCP_Header, MYPROTheader:
BinPAC_MYPROT_header): bool
                %{
                if ( ::MyProt_message )
                   {
                           connection()->SetTID_FC(${header.transport_id},
${MYPROTheader.myprot_fc});


Works fine.

Thanks anyway!

2016-04-29 14:19 GMT+02:00 Luis Martin <martin.liras at gmail.com>:

> Hi,
>
> I'm trying to develop an application level analyzer.
>
> My protocol has a request/response architectutrte, and the
> request/response message structure depends on a Function Code.
>
> This Function Code is sent in the request message, but NOT in the response
> message.
>
> So, when I receive a response I don't know if it belongs to the request A
> or the request B.
>
> The only way to know that is checking the transport level ID.
>
> So, I need to maintain any kind of array that relate transport id values
> and function codes.
>
> My question is how to do that.
>
> I need to read and write that global value in the MyProt-protocol.pac
> file. But I don't know how to maintain a global variable in binpac.
>
> I've been trying to do it within the $context, but I don't know how to
> write a value in a type added to the context.
>
> Any idea?
>
> Thank you!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160429/fa51a807/attachment.html

More information about the Bro mailing list