Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How to Write a Protocol Analyzer
Search
Vlad Grigorescu
August 07, 2013
Programming
0
170
How to Write a Protocol Analyzer
From the 2013 Bro Exchange
Vlad Grigorescu
August 07, 2013
Tweet
Share
More Decks by Vlad Grigorescu
See All by Vlad Grigorescu
Bro Deployment Verification and Troubleshooting
vladg
1
1k
Bro's Exec Module
vladg
0
350
EDUCAUSE SPC 2013 - Log Management (2/2)
vladg
0
170
Other Decks in Programming
See All in Programming
Swift Concurrency 年表クイズ
omochi
3
220
なんでRustの環境構築してないのにRust製のツールが動くの? / Why Do Rust-Based Tools Run Without a Rust Environment?
ssssota
14
47k
HTTPじゃ遅すぎる! SwitchBotを自作ハブで動かして学ぶBLE通信
occhi
0
140
CSC509 Lecture 09
javiergs
PRO
0
280
AsyncSequenceとAsyncStreamのプロポーザルを全部読む!!
s_shimotori
1
220
ビルドプロセスをデバッグしよう!
yt8492
0
210
MCPサーバー「モディフィウス」で変更容易性の向上をスケールする / modifius
minodriven
4
330
Pythonに漸進的に型をつける
nealle
1
150
CSC305 Lecture 11
javiergs
PRO
0
320
AI時代に必須!状況言語化スキル / ai-context-verbalization
minodriven
2
300
Making Angular Apps Smarter with Generative AI: Local and Offline-capable
christianliebel
PRO
0
100
AkarengaLT vol.38
hashimoto_kei
1
130
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
97
6.3k
Side Projects
sachag
455
43k
Git: the NoSQL Database
bkeepers
PRO
431
66k
Visualization
eitanlees
150
16k
Build The Right Thing And Hit Your Dates
maggiecrowley
38
2.9k
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Practical Orchestrator
shlominoach
190
11k
Leading Effective Engineering Teams in the AI Era
addyosmani
7
700
Building an army of robots
kneath
306
46k
Transcript
How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13
What Do Analyzers Do? • Parse the network traffic •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
Friday, October 18, 13
Parsing Traffic Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13
4 Parsing Traffic struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
binpac • A domain-specific language for protocol parsing • Build
“types” to represent logical data structures • .pac files get processed into C++ source code 5 Friday, October 18, 13
6 Parsing Traffic type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13
type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Traffic 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
8 Parsing Traffic √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13
Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13
10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13
11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13
function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13
13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13
14 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13
15 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13
16 Connections and Flows Friday, October 18, 13
17 Connections and Flows Friday, October 18, 13
18 Connections and Flows Friday, October 18, 13
19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13
refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13
21 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13
22 What Do Analyzers Do? Parse the network traffic Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13
Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13
24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13
Handle Those Events! 25 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13
26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13
26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13
Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13
Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13
Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13
29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13
vladg
omochi
ssssota
occhi
javiergs
s_shimotori
yt8492
minodriven
nealle
christianliebel
hashimoto_kei
notwaldorf
sachag
bkeepers
eitanlees
maggiecrowley
jeffersonlam
sonatard
cassininazir
danielanewman
shlominoach
addyosmani
kneath
