[Bro] Problems in writing an analyzer for custom TCP-based protocol

Vlad Grigorescu vladg at illinois.edu
Mon Jul 3 12:26:20 PDT 2017 

Valerio,

As you probably know, BinPAC supports reading data in via two "modes" --
flowunit or datagram:

flowunit (https://www.bro.org/sphinx/components/binpac/README.html#id20):

> When flowunit is used, the analyzer uses flow buffer to handle
> incremental input and provide support for &oneline/&length. For
> further detail on this, see Buffering.

datagram (https://www.bro.org/sphinx/components/binpac/README.html#id21):

> Opposite to flowunit, by declaring data unit as datagram, flow buffer
> is opted out. This results in faster parsing but no incremental input
> or buffering support.

Additionally, there is a TCP reassembler that you can use to handle data
across multiple TCP packets.

From what you said below, it sounds like you would want flowunit parsing
and the TCP reassembler.

The MySQL analyzer might be a good example that you can reference:

https://github.com/bro/bro/tree/master/src/analyzer/protocol/mysql

Other analyzers that use the TCP reassembler are: DNP3, GSSAPI, IMAP,
KRB_TCP, Modbus, NTLM, RDP, RFB, SIP_TCP, SOCKS, SSH, SSL, Syslog and XMPP.

  --Vlad

Valerio <valerio.click at gmx.com> writes:

> Hi all,
>
> I am trying to write a simple analyzer with BinPAC for a custom binary
> TCP protocol with the following structure
>
> +------------+---------------------------------------------------------+
> |FIXED	     |    MESSAGE_1 # MESSAGE_2 # .......# MESSAGE_N           |
>
> |HEX PREFIX  |                                                         |
> +------------+---------------------------------------------------------+
>
> The problem is that the above structure doesn't have a fixed lenght and,
> therefore, it can be spread across several TCP packets.
>
> At the moment, my prot_protocol.pac file has the following structure:
>
> type PROT_Message = record {
> 	entry: uint8[] &until($input.length() == 0);
> };
>
> type PROT_PDU(is_orig: bool) = record {
> 	entry : bytestring &restofdata;
> } &byteorder=bigendian;
>
> While the analyzer processes every packet by calling the following
> function (as defined in prot_analyzer.pac
>
> refine flow PROT_FLOW += {
> 	function proc_prot_message(msg: PROT_PDU): bool
> [...]
>
> The analyzer is activated with a dpd signature that matches the FIXED
> HEX PREFIX.
> Once activated, the function proc_prot_message is called for each packet
> in the session exposing in msg its payload.
>
> What is the best way to feed the analyzer with the whole reassembled TCP
> payload so that I can process it once without having to keep state while
> processing each single packet?
>
> many thanks in advance,
> Valerio
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170703/8cf294c2/attachment.bin

More information about the Bro mailing list