Hello everyone,
I am working on a banking protocol decoder and try to generate an event that return an object of type record. I assume the protocol decoding is ok because it works when I raise an event with a Val (count, or string) object.
When I change the events.bif, the analyzer.pac for returning an event with a record object type, I have a core dump in Bro. The error is that CBCOM::Message type is unknown in file /opt/bro-2.3.2/share/bro/base/bif/plugins/Bro_CBCOM.events.bif.bro
This type has been declared in the “events.bif” file
I have followed the things done for radius protocol decoder under src/analyzer/protocol/radius in bro source files.
· Cbcom-protocol.pac:
type CBCOM_PDU(is_orig: bool) = record {
msg_length: uint32;
pgi: uint8[1];
lgi: uint8;
zp: CBCOM_TLV[] &length = lgi, &until($input.length() == 0);
apdu: case apdudata of {
0 → none: empty;
default → cb2a: CBCOM_APDU;
};
} &let{ apdudata: int = msg_length - lgi - 2; } &byteorder=bigendian;
type CBCOM_TLV = record {
ti: uint8 &check(pi == 0x01 || pi == 0x05 || pi == 0x06 || pi == 0x07 || pi == 0x08 || pi == 0x0f || pi == 0x10 || pi == 0x11 || pi == 0x12 || pi == 0x19);
li: uint8;
vi: uint8[li];
} &byteorder=bigendian;
……
· Cbcom-analyzer.pac generate event with result (record type):
….
function proc_cbcom_message(msg: CBCOM_PDU): bool
%{
RecordVal* result = new RecordVal(BifType::Record::CBCOM::Message);
result->Assign(0, new Val(${msg.msg_length}, TYPE_COUNT));
uint length = ${msg.pgi}->size();
char buf[length];
for ( uint i = 0; i < length; ++i ) {
buf[i] = ${msg.pgi[i]};
}
result->Assign(1, string_to_val(get_hex_tostring(buf, length, true)));
result->Assign(2, new Val(${msg.lgi}, TYPE_COUNT));
if ( ${msg.zp}->size() )
{
TableVal* zp = new TableVal(BifType::Table::CBCOM::Zp);
for ( uint i = 0; i < ${msg.zp}->size(); ++i ) {
Val* index = new Val(${msg.zp[i].ti}, TYPE_COUNT);
Val* current = zp->Lookup(index);
uint length2 = ${msg.zp[i].vi}->size();
char char_vi[length2];
for ( uint j = 0; j < length2; ++j ) {
char_vi[j] = ${msg.zp[i].vi[j]};
}
Val* val = string_to_val(get_hex_tostring(char_vi, length2, true));
if ( current )
{
VectorVal* vcurrent = current->AsVectorVal();
vcurrent->Assign(vcurrent->Size(), val);
}
else
{
VectorVal* parametres = new VectorVal(BifType::Vector::CBCOM::Parametres);
parametres->Assign((unsigned int)0, val);
zp->Assign(index, parametres);
}
Unref(index);
}
result->Assign(3, zp);
}
BifEvent::generate_cbcom_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
return true;
……
· event.bif with bro event with result as type record:
event cbcom_message%(c: connection, result: CBCOM::Message%);
event cbcom_apdu%(c: connection, itm: string%);
event cbcom_pan%(c: connection, pan: string%);
type CBCOM::Parametres: vector;
type CBCOM::Zp: table;
type CBCOM::Message: record;
Anyone who has an idea or who has worked on the radius decoder could help me ?
Thanks !
Cordialement,
T. +33 4 42 25 15 51
P Merci de penser à l’environnement avant d’imprimer ce message.
Pl**ease consider the environment before printing this email.