[Bro] Issues with data structures

Ben Mixon-Baca bmixonb1 at cs.unm.edu
Fri Jul 22 13:50:32 PDT 2016 

Hi,

I am trying to build a 2D histogram based byte values in a tcp payload.
I look at each byte independently. So I get 2^8 possible byte values
which I use as a row index. the first 256 or so bytes of the payload as
passed from the tcp_packet function are where I get this, and the
specific byte position in the payload is suppose to give me the column
index. I initially was trying the following using the with and without
the SumStats framwork. The code below is with SumStats:

module BytePatterns;

export {
   global other_counts: vector of table[string] of count;
}

<Stuff>
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
      {
      local tmp: table[string] of count;
      if ("prefix" in result)
         {
         local i = 0;
         local payload = SumStats::key2str(key);
         for (bytei in payload)
            {
            bytei = string_to_ascii_hex(bytei);
           if (i !in BytePatterns::other_counts)
             {
             BytePatterns::other_counts[i] = tmp;
             }
          if (bytei !in BytePatterns::other_counts[i])
             {
             BytePatterns::other_counts[i][bytei] = 0;
             }
         BytePatterns::other_counts[i][bytei] += 1;
         i += 1;
         }
      }

<Stuff>

event tcp_packet(c: connection , is_orig: bool , flags: string , seq:
count , ack: count , len: count , payload: string )
    {
    if (is_orig)
      {
      if (c$seen_syn == T)
         {
         c$acks += 1;
         if (c$acks == 2 && len > 0)
           {
           print fmt("%s", BytePatterns::eseen);
           SumStats::observe("prefix",[$str=payload], [$str=payload]);
           }
         }
      }
    }


Based on other state, this event should only be getting 3 payloads with
a trace file I made for testing. The column sum should therefore be 3
for all columns, however, when I run this code, I am getting
significantly larger counts.

I am wondering if the way I am adding tables to the other_counts, data
structure is somehow causing this behavior. Or possibly something with
the way I am using SumStats and it is not doing what I think it is.

Thank you in advance.

-- 
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160722/13b24855/attachment.bin

More information about the Bro mailing list