binpac documentation

Hi,
I saw a bug in the socks analyzer. I want to fix it, unfortunately I don't speek binpac. Is there documentation on it? (http://www.bro.org/development/howtos/binpac-sample-analyzer.html is not sufficient).

thanks,
Nicolas

Hi,

This is the original paper : http://www.icir.org/robin/papers/imc06.pdf

Eric

What's the bug?

  .Seth

I saw a bug in the socks analyzer. I want to fix it, unfortunately I
don't speek binpac. Is there documentation on it?
(http://www.bro.org/development/howtos/binpac-sample-analyzer.html is
not sufficient).

What's the bug?

   .Seth

It appears using the username authentication with SOCKS 5.

After the client and the server have chosen the username authentication, the client has to send the following packet :

Client request (RFC 1929) :

Do you have a trace file that exhibits the issue? It would be helpful to have a file we could add to our test suite to make sure this issue gets fixed and stays fixed. :slight_smile:

  .Seth

hi,
I am still investigating on the SOCKS bug. In addition to the byte version problem, I noticed that only data from client are displayed by DeliverStream, strange. So I take a look to my use case trace, and it appears that the tcp connection uses the PUSH flag. How does BRO deal with PUSH flag? Could the problem come from this?

Here is the tcp flow of my test case :

                     (Client)

Time | 192.168.0.2 (Socks server) |
               > > 192.168.0.1 |
0.000000 | SYN | |Seq = 0
               >(55951) ------------------> (1080) |
0.000063 | SYN, ACK | |Seq = 0 Ack = 1
               >(55951) <------------------ (1080) |
0.000923 | ACK | |Seq = 1

Ack = 1

               >(55951) ------------------> (1080) |
0.069237 | PSH, ACK - Len: 5 |Seq = 1 Ack = 1
               >(55951) ------------------> (1080) |
0.069282 | ACK | |Seq = 1

Ack = 6

               >(55951) <------------------ (1080) |
0.212734 | PSH, ACK - Len: 2 |Seq = 1 Ack = 6
               >(55951) <------------------ (1080) |
0.213192 | ACK | |Seq = 6

Ack = 3

               >(55951) ------------------> (1080) |
0.213561 | PSH, ACK - Len: 11 |Seq = 6 Ack = 3
               >(55951) ------------------> (1080) |
0.213583 | ACK | |Seq = 3

Ack = 17

               >(55951) <------------------ (1080) |
0.216805 | PSH, ACK - Len: 2 |Seq = 3 Ack = 17
               >(55951) <------------------ (1080) |
0.217095 | PSH, ACK - Len: 10 |Seq = 17 Ack = 5
               >(55951) ------------------> (1080) |
0.222837 | PSH, ACK - Len: 10 |Seq = 5 Ack = 27
               >(55951) <------------------ (1080) |

Nicolas

H flag. How does BRO deal
with PUSH flag? Could the problem come from this?

It ignores it, so the problem is something else.

    Vern

H flag. How does BRO deal
with PUSH flag? Could the problem come from this?

It ignores it, so the problem is something else.

    Vern
I figure it out, it was a bad tcp checksum due to tcpdump

(UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading | Techie in IT). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :slight_smile:

Nicolas

Were you using the 2.1 release or a build from our git repository? There is a reporter warning (that now prints to stderr if you're running the bro binary directly) that should indicate if your tracefile has bad checksums. I've been caught by that problem quite a few times myself before realizing that I had bad checksums.

.Seth

I figure it out, it was a bad tcp checksum due to tcpdump (UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading | Techie in IT). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :slight_smile:

Were you using the 2.1 release or a build from our git repository? There is a reporter warning (that now prints to stderr if you're running the bro binary directly) that should indicate if your tracefile has bad checksums. I've been caught by that problem quite a few times myself before realizing that I had bad checksums.

Actually, I was using the 2.1.
I also tried the build from git, which helped me to discover bad checksums thanks to the warning.
Nicolas