[Bro] Calling external functions in binpac protocol parser

Shuai Hao haoscs at gmail.com
Wed Dec 20 12:01:32 PST 2017


Hi All,

(1) I wonder that what's the rationales of removing the binpac files for
some common protocols (e.g., HTTP, DNS, et al.)? Does current bro
distribution only include the handwritten protocol parsers for those
protocols?

I can find the http-{protocol, analyzer}.pac files have been removed since
bro-2.2. I checked the CHANGE log but cannot find the explanation.

(2) We create a "general" analytic module that includes APIs (e.g., passing
a key/value pair) can be called by multiple protocol parsers such as HTTP
and DNS (essentially we only want the "parser" instead of the whole
"analyzer" part; that's the reason we are looking for the
http-protocol.pac).

We develop such module as a plugin, say "Sample::Test" which includes a
function test_func(...). We have another sample protocol parser including
following code:

> type myPDU() = record {
>     data: bytestring &restofflow;
> } &byteorder = bigendian & let{
>     deliver: bool = $context.flow.myFUNC();
>};

> flow myFLOW() {
>     flowunit = myPDU(...);
>
>     function myFUNC() {
>         Sample::test_func(...);
>     }

That is, in current sample module we want the external function being
called when receiving a protocol flow PDU (in &let {...}). So how we can
get the binpac (protocol parser) recognize the function Sample::test_func()
written in another plugin Sample::Test? I can see in
/src/analyzer/protocols, the analyzers can include the functionality from
another analyzer by including the headers such as #include
"analyzer/protocols/tcp/...". But when writing the plugins in
/aux/bro-aux/plugin-support, how can we do that?

Thanks very much!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171220/96920bb4/attachment.html 


More information about the Bro mailing list