Digging through Source Code

Yes, but there's something that's still stumping me.

Looking at line 70 from https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-analyzer.pac

case 8:
        if ( element->data()->etype()->data()->size() )
                rv->Assign(11, proc_cipher_list(element->data()->etype()));

Following the breadcrumb trail in the if statement here...

        element is type KRB_REQ_Arg (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
-> data is type KRB_REQ_Arg_Data (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-protocol.pac)
-> etype is type Array (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
-> data is type ASN1Encoding (defined - https://github.com/bro/bro/blob/master/src/analyzer/protocol/asn1/asn1.pac)
-> size is type ?

Following this line of thought, I'm a little confused by what "size()" is supposed to mean here, since it's not an attribute. I can infer that it's simply returning the size of the record, but I don't have any information as to how or where that would be defined. I've also tried looking through the source of BinPAC (https://www.bro.org/sphinx/components/binpac/README.html) but have come up empty so far.

I have a sample of kerberos pcap that populates the msg$pa_data$encryption_type vector (from event krb_tgs_request), so I know that the aforementioned if statement is returning true - - but the other two vectors "host_addrs" and "additional"tickets" (that from documentation seem to imply they're parallel with the encryption_type vector) come up as <uninitialized>.

This made me question that maybe there was something wrong with the code that was causing it to miss the host_addr and ticket data, I clearly find this data in my pcap sample under padata. This is my current theory anyway, and wanted to see if I'm making a bad assumption somewhere or if someone can shed light on what's going on here.

Talking about ASN1. Would bro be able to read ETSI standard files ?

Actually, data is of type ASN1Encoding[] - so it is an array; size returns
the size of that array (i.e. the number of array elements).

I hope that helps,

I don't know ETSI standard files, but just assuming they are some kind of
ASN.1 data:

While Bro has a bit of ASN.1 parsing capability (meaning that there is a
binpac definition for parts of ASN.1), the implementation is limited to a
small subset of ASN.1. Furthermore it is no generic parser - one still has
to implement the actual parsing logic for the specific ASN.1 data on top
of the existing primitives.

So - no, not currently.