How to Write a Protocol Analyzer

How to Write a Protocol Analyzer Vlad Grigorescu 1 Friday,
October 18, 13

What Do Analyzers Do? • Parse the network trafﬁc •
Generate events 2 • Handle the events • Generate logs Friday, October 18, 13

What Do Analyzers Do? • Parse the network trafﬁc •
Generate events 2 • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13

Parsing Trafﬁc Goal: Convert packet payload to data structure 3
Friday, October 18, 13

Parsing Trafﬁc Goal: Convert packet payload to data structure 3
<15>Mar 19 14:06:37 scobel-‐113 : debug... priority (8*facility + severity) message Friday, October 18, 13

4 Parsing Trafﬁc struct syslog_data { int facility;
int severity; char* msg; }; /* Parsing code */ <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13

binpac • A domain-speciﬁc language for protocol parsing • Build
“types” to represent logical data structures • .pac ﬁles get processed into C++ source code 5 Friday, October 18, 13

6 Parsing Trafﬁc type Syslog_Message = record {
PRI: Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; <15>Mar 19 14:06:37 scobel-113 : debug... Friday, October 18, 13

type Syslog_Priority = record { lt
: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } Parsing Trafﬁc 7 <15>Mar 19 14:06:37 scobel-113 : debug... ; Friday, October 18, 13

: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Trafﬁc 7 <15>Mar 19 14:06:37 scobel-113 : debug... }; Friday, October 18, 13

: uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int=bytestring_to_int(tmppri, 10); Parsing Trafﬁc 7 <15>Mar 19 14:06:37 scobel-113 : debug... // pri == facility*8 + severity facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13

8 Parsing Trafﬁc √ syslog-‐protocol.pac - Defines the protocol Friday,
October 18, 13

Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 Friday, October 18, 13

Generating Events Whenever we see a syslog message, generate the
syslog_message event: syslog_message( conn facility severity msg ) 9 : connection, : int, : int, : string Friday, October 18, 13

10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); Friday, October 18, 13

10 Generating Events event syslog_message(%
c: connection, facility: int, severity: int, msg: string %); √ events.bif - Defines the events Friday, October 18, 13

11 Generating Events type Syslog_Message = record { PRI:
Syslog_Priority; msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { lt : uint8; tmppri: RE/[[:digit:]]+/; gt : uint8; } &let { pri: int = bytestring_to_int(val, 10); facility: int = pri / 8; severity: int = pri % 8; }; Friday, October 18, 13

function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): Generating Events 12 Friday, October 18, 13

13 Generating Events function proc_syslog_msg(facility: count,
severity: count, msg: bytestring ): bool %{ %} Friday, October 18, 13

severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); %} Friday, October 18, 13

severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} Friday, October 18, 13

16 Connections and Flows Friday, October 18, 13

19 Generating Events refine flow Syslog_Flow += { function
proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; Friday, October 18, 13

refine typeattr Syslog_Message += &let { proc_syslog_message
= $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Generating Events 20 Friday, October 18, 13

proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; Friday, October 18, 13

proc_syslog_msg(facility: count, severity: count, msg: bytestring ): bool %{ BifEvent::generate_syslog_message( connection()-‐>bro_analyzer(), connection()-‐>bro_analyzer()-‐>Conn(), facility, severity, bytestring_to_val(msg)); return true; %} }; refine typeattr Syslog_Message += &let { proc_syslog_message = $context.flow.proc_syslog_msg(PRI.facility, PRI.severity, msg); }; √ syslog-‐analyzer.pac - Generates the events (and handles state) Friday, October 18, 13

22 What Do Analyzers Do? Parse the network trafﬁc Generate
events • Handle the events • Generate logs Core Layer Script Layer Friday, October 18, 13

Handle Those Events! 23 module Syslog; const ports = {
514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } Friday, October 18, 13

24 Handle Those Events! event syslog_message(c: connection,
facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13

514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } Friday, October 18, 13

514/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Analyzer::register_for_ports( Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 { print(fmt(“I have a message! %s”, msg); } √ main.bro - Registers the analyzer, handles events, logs Friday, October 18, 13

26 Non-Standard Ports? const ports = { 514/udp }; Friday,
October 18, 13

26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } Friday, October 18, 13

26 Non-Standard Ports? signature dpd_syslog { ip-‐proto == udp
payload /^<[0-‐9][0-‐9]?[0-‐9]?>/ enable "syslog" } √ dpd.sig - Defines DPD signatures Friday, October 18, 13

Dealing with Errors 27 event protocol_violation(
c: connection, atype: Analyzer::Tag, aid: count, reason: string) Binpac exception: binpac exception: string mismatch at src/analyzer/protocol/sip/ sip-‐protocol.pac:61: expected pattern: "(([^: \t]+|\r\n))" actual data: "" Friday, October 18, 13

Bootstrapping Coming soon to a Github near you... 28 Friday,
October 18, 13

Bootstrapping Coming soon to a Github near you... 28 $
./start.py tftp “Trivial FTP Analyzer” ~/bro Files created. TODO: 1) src/analyzers/protocol/tftp/tftp-‐protocol.pac 2) src/analyzers/protocol/tftp/events.bif 3) src/analyzers/protocol/tftp/tftp-‐analyzer.pac 4) scripts/base/protocols/tftp/main.bro 5) scripts/base/protocols/tftp/dpd.sig Friday, October 18, 13

29 Extra Credit: State flow My_Flow(is_orig: bool) { %member{
bool server_hungry; %} %init{ server_hungry = T; %} function proc_error(msg: My_Type) { server_hungry = F; }; Friday, October 18, 13

How to Write a Protocol Analyzer

How to Write a Protocol Analyzer

More Decks by Vlad Grigorescu

Other Decks in Programming

Featured

Transcript