[Bro] BinPAC analyzer name

Dane Wullen brot212 at googlemail.com
Mon Nov 28 15:45:12 PST 2016


Well, I tested this behavior with the "standard code" generated by the 
binpac python script. I named one analyzer Test and the other AMS.

Both have the same PDU record type (except for the name of course)

type NAME_PDU(is_orig: bool) = record {
     data: bytestring &restofdata;
} &byteorder=bigendian;

and the same analyzer.pac (except for the name again) with the same 
"proc" function:

function proc_NAME_message(msg: NAME_PDU) : bool
...
     BifEvent::generate_NAME_event(...);
     std::cout <<  "Name PDU" << endl; # for debugging
...

Both analyzers are enabled (checked it with -B dpd and -NN)

When I run it with some .pcap file, I only get the "Test PDU" output. 
Tested it with several .pcap files, everytime the same result.

Dane

Am 29.11.2016 um 00:15 schrieb Johanna Amann:
> Interesting, I am not really aware of any reason why just using AMS should
> not work.
>
> Do you appen to have your code up on github (or somewhere else)? Then I
> could take a look.
>
> If you want to investigate for a bit yourself, build bro with
> --enable-debug, start it with -B dpd and look at debug.log. There you
> should see if data is sent to your analyzer - that might already give you
> pointers if something is going wrong at/before/after this step.
>
> Johanna
>
> On Tue, Nov 29, 2016 at 12:11:00AM +0100, Dane Wullen wrote:
>> Hey,
>>
>> thanks for your reply.
>>
>> "Don't work" means that it doesn't raise any event nor executes the (C++)
>> code in the analyser.pac file. It's like it can't read the traffic or
>> something.
>>
>> Like I said, when I name it Test or PROTO-AMS or something like that, it
>> works fine.
>>
>> Dane
>>
>> Am 29.11.2016 um 00:05 schrieb Johanna Amann:
>>> By don't work - do you mean that it doesn't compile? Or does it not get
>>> any traffic? Or does it not raise events?
>>>
>>> Johanna
>>>
>>> On Mon, Nov 07, 2016 at 11:56:01PM +0100, Dane Wullen wrote:
>>>> Hi there,
>>>>
>>>> I wrote a new analyzer with BinPAC for a protocol named 'AMS'.
>>>> Somehow when I create the analyzer via the binpac python script and name
>>>> the analyzer 'AMS' or 'ams', the analyzer won't work. When I name it
>>>> 'TEST' or 'test', it works fine (same protocol specification, C++ Code,
>>>> etc.)
>>>>
>>>> Is there a name convention for new analyzer? Or does anyone know, why
>>>> BinPAC/Bro won't accept the name 'ams'?
>>>>
>>>> Thank you!
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161129/138244ee/attachment.html 


More information about the Bro mailing list