Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to Write a Protocol Analyzer
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Vlad Grigorescu
August 07, 2013
Programming
0
170
How to Write a Protocol Analyzer
From the 2013 Bro Exchange
Vlad Grigorescu
August 07, 2013
Tweet
Share
More Decks by Vlad Grigorescu
See All by Vlad Grigorescu
Bro Deployment Verification and Troubleshooting
vladg
1
1.1k
Bro's Exec Module
vladg
0
350
EDUCAUSE SPC 2013 - Log Management (2/2)
vladg
0
170
Other Decks in Programming
See All in Programming
開発者から情シスまで - 多様なユーザー層に届けるAPI提供戦略 / Postman API Night Okinawa 2026 Winter
tasshi
0
200
副作用をどこに置くか問題:オブジェクト指向で整理する設計判断ツリー
koxya
1
610
LLM Observabilityによる 対話型音声AIアプリケーションの安定運用
gekko0114
2
430
OCaml 5でモダンな並列プログラミングを Enjoyしよう!
haochenx
0
140
React 19でつくる「気持ちいいUI」- 楽観的UIのすすめ
himorishige
11
7.4k
コマンドとリード間の連携に対する脅威分析フレームワーク
pandayumi
1
450
Apache Iceberg V3 and migration to V3
tomtanaka
0
160
Fluid Templating in TYPO3 14
s2b
0
130
Rust 製のコードエディタ “Zed” を使ってみた
nearme_tech
PRO
0
180
CSC307 Lecture 02
javiergs
PRO
1
780
CSC307 Lecture 03
javiergs
PRO
1
490
AIフル活用時代だからこそ学んでおきたい働き方の心得
shinoyu
0
130
Featured
See All Featured
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
120
sira's awesome portfolio website redesign presentation
elsirapls
0
150
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
170
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.7k
Context Engineering - Making Every Token Count
addyosmani
9
660
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
1
440
Done Done
chrislema
186
16k
The untapped power of vector embeddings
frankvandijk
1
1.6k
Paper Plane (Part 1)
katiecoart
PRO
0
4.2k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
200
Abbi's Birthday
coloredviolet
1
4.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Transcript
How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13
4 Parsing Traffic struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
binpac • A domain-specific language for protocol parsing • Build
“types” to represent logical data structures • .pac files get processed into C++ source code 5 Friday, October 18, 13
6 Parsing Traffic type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
8 Parsing Traffic √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13
11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13
13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13
14 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13
15 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13
16 Connections and Flows Friday, October 18, 13
17 Connections and Flows Friday, October 18, 13
18 Connections and Flows Friday, October 18, 13
19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13
refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13
22 What Do Analyzers Do? Parse the network traffic Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13
24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13
26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13
Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13
Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13
Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13
29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13
SiteGround - Reliable hosting with speed, security, and support you can count on.
vladg
tasshi
koxya
gekko0114
haochenx
himorishige
pandayumi
tomtanaka
s2b
nearme_tech
javiergs
shinoyu
.png){kind=avatar}
helenjbeal
elsirapls
427marketing
eileencodes
addyosmani
inesmontani
chrislema
frankvandijk
katiecoart
ks91
coloredviolet
chriscoyier
