Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to Write a Protocol Analyzer
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Vlad Grigorescu
August 07, 2013
Programming
180
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
How to Write a Protocol Analyzer
From the 2013 Bro Exchange
Vlad Grigorescu
August 07, 2013
More Decks by Vlad Grigorescu
See All by Vlad Grigorescu
Bro Deployment Verification and Troubleshooting
vladg
1
1.1k
Bro's Exec Module
vladg
0
370
EDUCAUSE SPC 2013 - Log Management (2/2)
vladg
0
170
Other Decks in Programming
See All in Programming
言語を使う側から、作る側へ。 自作 Lisp で得た新たな気づき。
andpad
0
110
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
【やさしく解説 設計編・中級 #1】一つの車に、運転手は一人 ~ある倉庫システムの事例から~
panda728
PRO
0
170
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.4k
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
360
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
350
Vue × Nuxt × Oxc どこまで使える?実運用の現在地
andpad
0
370
スマートグラスで並列バイブコーディング
hyshu
0
290
SREは、MCPとSRE Agentをこう使え!
kazumax55
0
150
音楽のための関数型プログラミング言語mimiumにおける多段階計算の活用
tomoyanonymous
1
310
SREの積み重ねがAI駆動開発のガードレールになった ― 7つの実践/SRE Guardrails The 7
tomoyakitaura
8
4k
Featured
See All Featured
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.4k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
500
Documentation Writing (for coders)
carmenintech
77
5.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Embracing the Ebb and Flow
colly
88
5.1k
The Curious Case for Waylosing
cassininazir
1
430
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Evolving SEO for Evolving Search Engines
ryanjones
0
240
Testing 201, or: Great Expectations
jmmastey
46
8.2k
The Cost Of JavaScript in 2023
addyosmani
55
10k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
370
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
Transcript
How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13
4 Parsing Traffic struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
binpac • A domain-specific language for protocol parsing • Build
“types” to represent logical data structures • .pac files get processed into C++ source code 5 Friday, October 18, 13
6 Parsing Traffic type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
8 Parsing Traffic √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13
11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13
13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13
14 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13
15 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13
16 Connections and Flows Friday, October 18, 13
17 Connections and Flows Friday, October 18, 13
18 Connections and Flows Friday, October 18, 13
19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13
refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13
22 What Do Analyzers Do? Parse the network traffic Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13
24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13
26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13
Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13
Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13
Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13
29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13