[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Digging through Source Code
From: Johanna Amann <johanna () icir ! org>
Date: 2017-06-22 19:45:25
Message-ID: 20170622194525.mndtxwhnpyhk6dqz () wifi180 ! sys ! ICSI ! Berkeley ! EDU
[Download RAW message or body]
I don't know ETSI standard files, but just assuming they are some kind of
ASN.1 data:
While Bro has a bit of ASN.1 parsing capability (meaning that there is a
binpac definition for parts of ASN.1), the implementation is limited to a
small subset of ASN.1. Furthermore it is no generic parser - one still has
to implement the actual parsing logic for the specific ASN.1 data on top
of the existing primitives.
So - no, not currently.
Johanna
On Tue, Jun 20, 2017 at 11:43:36PM +0200, Daniel Guerra wrote:
> Talking about ASN1. Would bro be able to read ETSI standard files ?
>
>
> Op 20/06/2017 om 22:42 schreef Weasel, Gary W Jr CIV DISA RE (US):
> > Yes, but there's something that's still stumping me.
> >
> > Looking at line 70 from \
> > https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac \
> > case 8:
> > if ( element->data()->etype()->data()->size() )
> > rv->Assign(11, proc_cipher_list(element->data()->etype()));
> >
> > Following the breadcrumb trail in the if statement here...
> >
> > element is type KRB_REQ_Arg (defined - \
> > https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> >
> > -> data is type KRB_REQ_Arg_Data (defined - \
> > https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
> >
> > -> etype is type Array (defined - \
> > https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> >
> > -> data is type ASN1Encoding (defined - \
> > https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
> >
> > -> size is type ?
> >
> > Following this line of thought, I'm a little confused by what "size()" is \
> > supposed to mean here, since it's not an attribute. I can infer that it's simply \
> > returning the size of the record, but I don't have any information as to how or \
> > where that would be defined. I've also tried looking through the source of \
> > BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come \
> > up empty so far.
> > I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type \
> > vector (from event krb_tgs_request), so I know that the aforementioned if \
> > statement is returning true - - but the other two vectors "host_addrs" and \
> > "additional"tickets" (that from documentation seem to imply they're parallel with \
> > the encryption_type vector) come up as <uninitialized>.
> > This made me question that maybe there was something wrong with the code that was \
> > causing it to miss the host_addr and ticket data, I clearly find this data in my \
> > pcap sample under padata. This is my current theory anyway, and wanted to see if \
> > I'm making a bad assumption somewhere or if someone can shed light on what's \
> > going on here.
> >
> > -----Original Message-----
> > From: Azoff, Justin S [mailto:jazoff@illinois.edu]
> > Sent: Tuesday, June 20, 2017 3:28 PM
> > To: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ@mail.mil>
> > Cc: bro@bro.org
> > Subject: Re: [Bro] Digging through Source Code
> >
> > All active links contained in this email were disabled. Please verify the \
> > identity of the sender, and confirm the authenticity of all links contained \
> > within the message prior to copying and pasting the address to a Web browser.
> >
> >
> >
> > ----
> >
> >
> > > On Jun 20, 2017, at 3:14 PM, Weasel, Gary W Jr CIV DISA RE (US) \
> > > <gary.w.weasel2.civ@mail.mil> wrote:
> > > All,
> > >
> > > I've been digging through the Bro source code, and there's been something \
> > > that's mystifying me for a while now.
> > > type Array = record {
> > > array_meta: ASN1EncodingMeta;
> > > data: ASN1Encoding[];
> > > };
> > >
> > > As from https://github.com/bro/bro/blob/57da2d091b30aad52d52fce8018feeb2cdf8ff1f/src/analyzer/protocol/asn1/asn1.pac
> > >
> > > I have no clue what "record" is in this context. I suspect it has other \
> > > attributes that are being inherited, but I haven't found anything to indicate \
> > > what this is. Does anyone have any insight into this?
> > > Thanks,
> > > - Gary
> > Does this help?
> >
> > https://www.bro.org/sphinx/script-reference/types.html#type-record
> >
> >
> > --
> > - Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro@bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic