[Bro] binpac to bro script types
Bortoli, Tomas
tomas.bortoli at sit.fraunhofer.de
Mon May 29 04:13:15 PDT 2017
That solution looks good but I am stuck with the encoding of the timestamp.
It's a 64 bit timestamp but I don't know how to interpret it. Picture attaced.
Thanks,
Tomas
________________________________________
From: Vlad Grigorescu [vladg at illinois.edu]
Sent: Friday, May 26, 2017 5:54 PM
To: Bortoli, Tomas; bro at bro.org
Subject: Re: [Bro] binpac to bro script types
Well, I think you're on the right track. You need to do something like
this line in smb-time.pac:
> Val* bro_ts = new Val(secs, TYPE_TIME);
The Val constructor with a type of time takes a double of seconds since
the epoch (UNIX time) and gives you the Bro script timestamp val. How
you actually convert whatever format you're working to UNIX time is up
to you and dependent on the format.
Does that make sense? If you can provide more information on how the
timestamp is actually stored, someone might be able to help figure out
how to convert it.
--Vlad
"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:
> Hi all,
>
> I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.
>
> I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.
>
> But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
> Any idea?
>
>
> Kind regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-05-29 13-06-12.jpg
Type: image/jpeg
Size: 44077 bytes
Desc: Screenshot from 2017-05-29 13-06-12.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170529/750bd818/attachment-0001.jpg
More information about the Bro
mailing list