[Bro] Digging through Source Code

Daniel Guerra daniel.guerra69 at gmail.com
Tue Jun 20 14:43:36 PDT 2017 

Talking about ASN1. Would bro be able to read ETSI standard files ?


Op 20/06/2017 om 22:42 schreef Weasel, Gary W Jr CIV DISA RE (US):
> Yes, but there's something that's still stumping me.
>
> Looking at line 70 from https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac
>
> case 8:
>         if ( element->data()->etype()->data()->size() )
>                 rv->Assign(11, proc_cipher_list(element->data()->etype()));
>
> Following the breadcrumb trail in the if statement here...
>
>         element is type KRB_REQ_Arg (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> ->      data is type KRB_REQ_Arg_Data (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> ->      etype is type Array (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> ->      data is type ASN1Encoding (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> ->      size is type ?
>
> Following this line of thought, I'm a little confused by what "size()" is supposed to mean here, since it's not an attribute.  I can infer that it's simply returning the size of the record, but I don't have any information as to how or where that would be defined.  I've also tried looking through the source of BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come up empty so far.
>
> I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type vector (from event krb_tgs_request), so I know that the aforementioned if statement is returning true - - but the other two vectors "host_addrs" and "additional"tickets" (that from documentation seem to imply they're parallel with the encryption_type vector) come up as <uninitialized>.
>
> This made me question that maybe there was something wrong with the code that was causing it to miss the host_addr and ticket data, I clearly find this data in my pcap sample under padata.  This is my current theory anyway, and wanted to see if I'm making a bad assumption somewhere or if someone can shed light on what's going on here.
>
>
> -----Original Message-----
> From: Azoff, Justin S [mailto:jazoff at illinois.edu]
> Sent: Tuesday, June 20, 2017 3:28 PM
> To: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>
> Cc: bro at bro.org
> Subject: Re: [Bro] Digging through Source Code
>
> All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
>
>
>
>
> ----
>
>
>> On Jun 20, 2017, at 3:14 PM, Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil> wrote:
>>
>> All,
>>
>> I've been digging through the Bro source code, and there's been something that's mystifying me for a while now.
>>
>> type Array = record {
>>        array_meta: ASN1EncodingMeta;
>>        data:       ASN1Encoding[];
>> };
>>
>> As from https://github.com/bro/bro/blob/57da2d091b30aad52d52fce8018feeb2cdf8ff1f/src/analyzer/protocol/asn1/asn1.pac
>>
>> I have no clue what "record" is in this context.  I suspect it has other attributes that are being inherited, but I haven't found anything to indicate what this is.  Does anyone have any insight into this?
>>
>> Thanks,
>> - Gary
> Does this help?
>
> https://www.bro.org/sphinx/script-reference/types.html#type-record
>
>
> --
> - Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list