BinPAC analyzer name

dw21 · November 7, 2016, 10:56pm

Hi there,

I wrote a new analyzer with BinPAC for a protocol named 'AMS'.
Somehow when I create the analyzer via the binpac python script and name the analyzer 'AMS' or 'ams', the analyzer won't work. When I name it 'TEST' or 'test', it works fine (same protocol specification, C++ Code, etc.)

Is there a name convention for new analyzer? Or does anyone know, why BinPAC/Bro won't accept the name 'ams'?

Thank you!

johanna · November 28, 2016, 11:05pm

By don't work - do you mean that it doesn't compile? Or does it not get
any traffic? Or does it not raise events?

Johanna

dw21 · November 28, 2016, 11:11pm

Hey,

thanks for your reply.

"Don't work" means that it doesn't raise any event nor executes the (C++) code in the analyser.pac file. It's like it can't read the traffic or something.

Like I said, when I name it Test or PROTO-AMS or something like that, it works fine.

Dane

johanna · November 28, 2016, 11:15pm

Interesting, I am not really aware of any reason why just using AMS should
not work.

Do you appen to have your code up on github (or somewhere else)? Then I
could take a look.

If you want to investigate for a bit yourself, build bro with
--enable-debug, start it with -B dpd and look at debug.log. There you
should see if data is sent to your analyzer - that might already give you
pointers if something is going wrong at/before/after this step.

Johanna

dw21 · November 28, 2016, 11:45pm

Well, I tested this behavior with the “standard code” generated by the binpac python script. I named one analyzer Test and the other AMS.

Both have the same PDU record type (except for the name of course)

type NAME_PDU(is_orig: bool) = record {
data: bytestring &restofdata;
} &byteorder=bigendian;

and the same analyzer.pac (except for the name again) with the same “proc” function:

function proc_NAME_message(msg: NAME_PDU) : bool
…
BifEvent::generate_NAME_event(…);
std::cout << “Name PDU” << endl; # for debugging
…

Both analyzers are enabled (checked it with -B dpd and -NN)

When I run it with some .pcap file, I only get the “Test PDU” output. Tested it with several .pcap files, everytime the same result.

Dane

Vlad_Grigorescu3 · December 6, 2016, 3:52pm

Hmm. Could be a capitalization issue? binpac_quickstart does do some
uppercasing/lowercasing in a couple of the templates. For example:

Dane Wullen <brot212@googlemail.com> writes:

function proc_NAME_message(msg: NAME_PDU) : bool
...
BifEvent::generate_NAME_event(...);
std::cout << "Name PDU" << endl; # for debugging
...

NAME here will always be lowercase (since that matches the naming scheme
for events).

I poked around with this a bit, and couldn't duplicate it. Can you put
the contents of src/analyzer/protocol/ams somewhere I could see it?

Thanks,

--Vlad

dw21 · December 17, 2016, 2:00pm

Hey,

sorry, I was kind of busy the last days and couldn't answer.

http://pastebin.com/6Z9fykTT <-- all .pac files
http://pastebin.com/VBUM5CwE <- all .CC and .h files

This is the binPAC code. Like I said, only the standard code, untouched (except the std::cout line).
The same code with Test instead of AMS works fine. I don't know, maybe I'm doing something wrong, I've tested it on 3 VMs and on a Raspberry Pi, but the result are always the same.

Thanks

Dane

Topic		Replies	Views
Confusing binPAC error... Zeek	3	68	May 6, 2022
BinPAC &check Zeek	1	62	May 6, 2022
Problems in writing an analyzer for custom TCP-based protocol Zeek	1	63	May 6, 2022
Help creating new analyzer Development development	8	124	May 6, 2022
ntp protocol analyzer Zeek	4	76	May 6, 2022

BinPAC analyzer name

Related Topics