[Bro] Digging through Source Code

Johanna Amann johanna at icir.org
Thu Jun 22 12:45:25 PDT 2017 

I don't know ETSI standard files, but just assuming they are some kind of
ASN.1 data:

While Bro has a bit of ASN.1 parsing capability (meaning that there is a
binpac definition for parts of ASN.1), the implementation is limited to a
small subset of ASN.1. Furthermore it is no generic parser - one still has
to implement the actual parsing logic for the specific ASN.1 data on top
of the existing primitives.

So - no, not currently.

Johanna

On Tue, Jun 20, 2017 at 11:43:36PM +0200, Daniel Guerra wrote:
> Talking about ASN1. Would bro be able to read ETSI standard files ?
> 
> 
> Op 20/06/2017 om 22:42 schreef Weasel, Gary W Jr CIV DISA RE (US):
> > Yes, but there's something that's still stumping me.
> >
> > Looking at line 70 from https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac
> >
> > case 8:
> >         if ( element->data()->etype()->data()->size() )
> >                 rv->Assign(11, proc_cipher_list(element->data()->etype()));
> >
> > Following the breadcrumb trail in the if statement here...
> >
> >         element is type KRB_REQ_Arg (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> > ->      data is type KRB_REQ_Arg_Data (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> > ->      etype is type Array (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> > ->      data is type ASN1Encoding (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> > ->      size is type ?
> >
> > Following this line of thought, I'm a little confused by what "size()" is supposed to mean here, since it's not an attribute.  I can infer that it's simply returning the size of the record, but I don't have any information as to how or where that would be defined.  I've also tried looking through the source of BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come up empty so far.
> >
> > I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type vector (from event krb_tgs_request), so I know that the aforementioned if statement is returning true - - but the other two vectors "host_addrs" and "additional"tickets" (that from documentation seem to imply they're parallel with the encryption_type vector) come up as <uninitialized>.
> >
> > This made me question that maybe there was something wrong with the code that was causing it to miss the host_addr and ticket data, I clearly find this data in my pcap sample under padata.  This is my current theory anyway, and wanted to see if I'm making a bad assumption somewhere or if someone can shed light on what's going on here.
> >
> >
> > -----Original Message-----
> > From: Azoff, Justin S [mailto:jazoff at illinois.edu]
> > Sent: Tuesday, June 20, 2017 3:28 PM
> > To: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>
> > Cc: bro at bro.org
> > Subject: Re: [Bro] Digging through Source Code
> >
> > All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
> >
> >
> >
> >
> > ----
> >
> >
> >> On Jun 20, 2017, at 3:14 PM, Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil> wrote:
> >>
> >> All,
> >>
> >> I've been digging through the Bro source code, and there's been something that's mystifying me for a while now.
> >>
> >> type Array = record {
> >>        array_meta: ASN1EncodingMeta;
> >>        data:       ASN1Encoding[];
> >> };
> >>
> >> As from https://github.com/bro/bro/blob/57da2d091b30aad52d52fce8018feeb2cdf8ff1f/src/analyzer/protocol/asn1/asn1.pac
> >>
> >> I have no clue what "record" is in this context.  I suspect it has other attributes that are being inherited, but I haven't found anything to indicate what this is.  Does anyone have any insight into this?
> >>
> >> Thanks,
> >> - Gary
> > Does this help?
> >
> > https://www.bro.org/sphinx/script-reference/types.html#type-record
> >
> >
> > --
> > - Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list