Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to Write a Protocol Analyzer
Search
Vlad Grigorescu
August 07, 2013
Programming
0
170
How to Write a Protocol Analyzer
From the 2013 Bro Exchange
Vlad Grigorescu
August 07, 2013
Tweet
Share
More Decks by Vlad Grigorescu
See All by Vlad Grigorescu
Bro Deployment Verification and Troubleshooting
vladg
1
1k
Bro's Exec Module
vladg
0
350
EDUCAUSE SPC 2013 - Log Management (2/2)
vladg
0
170
Other Decks in Programming
See All in Programming
AWS CDKの推しポイント 〜CloudFormationと比較してみた〜
akihisaikeda
3
280
プロダクト開発でも使おう 関数のオーバーロード
yoiwamoto
0
160
エラーって何種類あるの?
kajitack
5
260
Is Xcode slowly dying out in 2025?
uetyo
1
140
型付きアクターモデルがもたらす分散シミュレーションの未来
piyo7
0
800
KotlinConf 2025 現地参加の土産話
n_takehata
0
100
AIネイティブなプロダクトをGolangで挑む取り組み
nmatsumoto4
0
120
コード書くの好きな人向けAIコーディング活用tips #orestudy
77web
3
320
Bytecode Manipulation 으로 생산성 높이기
bigstark
2
360
KotlinConf 2025 現地で感じたServer-Side Kotlin
n_takehata
1
220
レガシーシステムの機能調査・開発におけるAI利活用
takuya_ohtonari
0
610
つよそうにふるまい、つよい成果を出すのなら、つよいのかもしれない
irof
1
290
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.8k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Designing Experiences People Love
moore
142
24k
GraphQLとの向き合い方2022年版
quramy
46
14k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.4k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
Done Done
chrislema
184
16k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Transcript
How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13
4 Parsing Traffic struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
binpac • A domain-specific language for protocol parsing • Build
“types” to represent logical data structures • .pac files get processed into C++ source code 5 Friday, October 18, 13
6 Parsing Traffic type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
8 Parsing Traffic √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13
11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13
13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13
14 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13
15 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13
16 Connections and Flows Friday, October 18, 13
17 Connections and Flows Friday, October 18, 13
18 Connections and Flows Friday, October 18, 13
19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13
refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13
22 What Do Analyzers Do? Parse the network traffic Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13
24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13
26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13
Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13
Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13
Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13
29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13
vladg
akihisaikeda
yoiwamoto
kajitack
uetyo
piyo7
n_takehata
nmatsumoto4
77web
bigstark
takuya_ohtonari
irof
pedronauck
tammyeverts
honnibal
afnizarnur
addyosmani
moore
quramy
eileencodes
chriscoyier
jmmastey
chrislema
swwweet
