[Bro] icap plugin/analyzer

Tue Oct 4 10:56:53 PDT 2016

Mark posted this to the bro-dev list:

From: <bro-dev-bounces at bro.org> on behalf of Mark Fernandez <mfernandez at mitre.org>
Date: Friday, September 30, 2016 at 1:42 PM
To: "'bro-dev at bro.org'" <bro-dev at bro.org>
Subject: [Bro-Dev] ICAP Analyzer: BinPAC vs Plugin :: RegEx Issues

In support of submitting the ICAP Analyzer as a Bro Package, I am porting the ICAP Analyzer to build as a dynamic Plugin.  Originally, I inserted the ICAP Analyzer straight into the source code tree, under /src/analyzer/protocol/icap, and compiled it as part of the Bro core.  But in an effort to make it easier for others to integrate into their existing Bro instantiations, I am making the effort to make it a stand-alone Plugin instead… but the BinPAC parser is not working when I run it as a Plugin.

The Plugin builds and installs without error, and I verify that the Plugin is enabled and that my ICAP main.bro script is loaded, but it is not producing any ICAP or HTTP related output:

(a)     It appears that the parser is not recognizing the ICAP Request messages whatsoever.

(b)     It starts to parse the ICAP Response messages; but it breaks mid-way thru the packet.

I think the problem is within the BinPAC files where I use regular expressions to define a data element within the ICAP packet structures/records.  In the ICAP Request message, the very first element is a regex pattern, so that’s why it fails to parse these packets at all.  In the ICAP Response message, it parses the first element correctly, but then it bombs on the second element, which is a regex pattern.

In the BinPAC help/reference document, it contains a section titled, “Running Binpac-Generated Analyzer Standalone” [https://www.bro.org/sphinx/components/binpac/README.html#running-binpac-generated-analyzer-standalone], which states that to run binpac-generated code independent of Bro, the regex library must be substituted…  I presume the stand-alone guidance applies to the Plugin?  It must because I did not have this trouble when I built the analyzer straight into the Bro core.

The regex library guidance says I need to include three header files: RE.h, bro-dummy.h, and binpac_pcre.h.  You provide sample code for each file.  Am I to copy-n-paste the sample code directly into my Plugin source code as three new headers files?  Or do these three files exist elsewhere in the Bro source?  I can find “RE.h” in the source (/src/RE.h).  And I can find “binpac_regex.h” in the source (/aux/binpac/lib/binpac_regex.h), which seems similar, but I cannot find “binpac_pcre.h” nor “bro_dummy.h” anywhere.

I need a little bit of advice… or a lot of advice :)  Can I use RE.h and binpac_regex.h that exist in the Bro 2.4.1 distro?  Or do I need to create the three header files and paste the sample code verbatim?

Thanks!
Mark

Mark I. Fernandez
MITRE Corporation

Email: mfernandez at mitre.org<mailto:mfernandez at mitre.org>

MITRE is a not-for-profit corporation that operates
several Federally Funded Research and Development
Centers (FFRDCs) in the interests of the US Government.

------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

From: <bro-bounces at bro.org> on behalf of erik clark <philosnef at gmail.com>
Date: Tuesday, October 4, 2016 at 12:47 PM
To: "bro at bro.org" <bro at bro.org>
Subject: [Bro] icap plugin/analyzer

Where is the icap plugin/analyzer located? I dont have Mark Fernandez's contact info to find out. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161004/ab6f5528/attachment.html 