[Bro] Issues with data structures
Ben Mixon-Baca
bmixonb1 at cs.unm.edu
Fri Jul 22 13:50:32 PDT 2016
Hi,
I am trying to build a 2D histogram based byte values in a tcp payload.
I look at each byte independently. So I get 2^8 possible byte values
which I use as a row index. the first 256 or so bytes of the payload as
passed from the tcp_packet function are where I get this, and the
specific byte position in the payload is suppose to give me the column
index. I initially was trying the following using the with and without
the SumStats framwork. The code below is with SumStats:
module BytePatterns;
export {
global other_counts: vector of table[string] of count;
}
<Stuff>
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local tmp: table[string] of count;
if ("prefix" in result)
{
local i = 0;
local payload = SumStats::key2str(key);
for (bytei in payload)
{
bytei = string_to_ascii_hex(bytei);
if (i !in BytePatterns::other_counts)
{
BytePatterns::other_counts[i] = tmp;
}
if (bytei !in BytePatterns::other_counts[i])
{
BytePatterns::other_counts[i][bytei] = 0;
}
BytePatterns::other_counts[i][bytei] += 1;
i += 1;
}
}
<Stuff>
event tcp_packet(c: connection , is_orig: bool , flags: string , seq:
count , ack: count , len: count , payload: string )
{
if (is_orig)
{
if (c$seen_syn == T)
{
c$acks += 1;
if (c$acks == 2 && len > 0)
{
print fmt("%s", BytePatterns::eseen);
SumStats::observe("prefix",[$str=payload], [$str=payload]);
}
}
}
}
Based on other state, this event should only be getting 3 payloads with
a trace file I made for testing. The column sum should therefore be 3
for all columns, however, when I run this code, I am getting
significantly larger counts.
I am wondering if the way I am adding tables to the other_counts, data
structure is somehow causing this behavior. Or possibly something with
the way I am using SumStats and it is not doing what I think it is.
Thank you in advance.
--
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160722/13b24855/attachment.bin
More information about the Bro
mailing list