Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to Write a Protocol Analyzer
Search
Vlad Grigorescu
August 07, 2013
Programming
0
170
How to Write a Protocol Analyzer
From the 2013 Bro Exchange
Vlad Grigorescu
August 07, 2013
Tweet
Share
More Decks by Vlad Grigorescu
See All by Vlad Grigorescu
Bro Deployment Verification and Troubleshooting
vladg
1
1k
Bro's Exec Module
vladg
0
350
EDUCAUSE SPC 2013 - Log Management (2/2)
vladg
0
170
Other Decks in Programming
See All in Programming
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
370
Go言語での実装を通して学ぶLLMファインチューニングの仕組み / fukuokago22-llm-peft
monochromegane
0
110
AIエージェント開発、DevOps and LLMOps
ymd65536
1
370
ProxyによるWindow間RPC機構の構築
syumai
2
740
testingを眺める
matumoto
1
130
Testing Trophyは叫ばない
toms74209200
0
290
Namespace and Its Future
tagomoris
6
690
実用的なGOCACHEPROG実装をするために / golang.tokyo #40
mazrean
1
140
テストカバレッジ100%を10年続けて得られた学びと品質
mottyzzz
2
440
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
100
2025 年のコーディングエージェントの現在地とエンジニアの仕事の変化について
azukiazusa1
15
6.5k
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
0
270
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Typedesign – Prime Four
hannesfritz
42
2.8k
Code Review Best Practice
trishagee
70
19k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
For a Future-Friendly Web
brad_frost
179
9.9k
Gamification - CAS2011
davidbonilla
81
5.4k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
The Invisible Side of Design
smashingmag
301
51k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
800
Raft: Consensus for Rubyists
vanstee
140
7.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Transcript
How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13
4 Parsing Traffic struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
binpac • A domain-specific language for protocol parsing • Build
“types” to represent logical data structures • .pac files get processed into C++ source code 5 Friday, October 18, 13
6 Parsing Traffic type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
8 Parsing Traffic √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13
11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13
13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13
14 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13
15 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13
16 Connections and Flows Friday, October 18, 13
17 Connections and Flows Friday, October 18, 13
18 Connections and Flows Friday, October 18, 13
19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13
refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13
22 What Do Analyzers Do? Parse the network traffic Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13
24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13
26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13
Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13
Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13
Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13
29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13