[Bro] Dealing with tcp-based Unknown Protocols
Jon Siwek
jsiwek at corelight.com
Mon Dec 11 08:40:39 PST 2017
On Mon, Dec 11, 2017 at 12:45 AM, Shuai Hao <haoscs at gmail.com> wrote:
> In addition, according to this message
> http://mailman.icsi.berkeley.edu/pipermail/bro/2007-December/002593.html,
> Robin mentioned the method DPM::BuildInitialAnalyzerTree() in DPM.{h, cc}
> (Manage::BuildInitialAnalyzerTree() in current distribution). With the
> source code,
> https://github.com/bro/bro/blob/master/src/analyzer/Manager.cc
> it seems that we can initiate an analyzer here when seeing a connection
> which is non-TCP, non-UDP, and non-ICMP. However, if we assume all TCP-based
> protocols, where we should look at if we have to touch the source code?
The first thing that comes to my mind would still be trying to
unconditionally add your analyzer in
analyzer::Manager::BuildInitialAnalyzerTree. If it's just TCP that
you need, that's fine, see the other tcp->AddChildAnalyzer() calls
there for ideas.
Then, the other part of your problem would be disabling that analyzer
when any other protocol analyzer is confirmed. An idea would be to
periodically (e.g. every DeliverPacket) walk the analyzer tree (e.g.
analyzer::Parent() and analyzer::GetChildren()) and check whether
analyzer::ProtocolConfirmed() is true for anything. You could also
maybe just handle this in scripts via Analyzer::protocol_confirmation
event and Analyzer::disable_analyzer() functions.
The PIA implementation is related to protocol matching, but not sure
whether you'd need to modify anything there to get what you want.
Hope that helps.
- Jon
More information about the Bro
mailing list