Plugin regex issue

Zeek
1

Hi all,

I have a quick question regarding Bro’s plugin structure. I’m working on a protocol analyzer plugin that works well, except for one thing— I can’t use Binpac’s RE primitive type in my protocol.pac file. My suspicion is that regex may need to be explicitly loaded for the plugin. I’ve tested the same code by compiling it into Bro and it works there, just not as a plugin.

Is anyone (perhaps the Bro team, Robin?) aware of an issue using RE primitives in plugins? Every other primitive type I’ve tested works.

The analyzer is a very early work in progress, but you can find and test the issue if you want: https://github.com/jshlbrd/bro-analyzers/tree/master/stun-protocol-plugin

Further details below …

type STUN_UDP_MAGIC_PDU(is_orig: bool) = record {
message_type: uint16;
message_len: uint16;
magic_cookie: RE/\x21\x12\xa4\x42/;
trans_id: bytestring &length=12;
#attributes: STUN_ATTRIBUTE[] &until($input.length() == 0);
} &byteorder=bigendian &length=message_len+20;

In the record above, when used as a plugin, the magic_cookie is skipped. When compiled, it works as expected.

Thanks!

Josh

2

Turns out it's a problem with the order in which the BinPAC system is
initialized. I just pushed a fix for Bro to git, that seems to solve
it. Give it a try.

Robin

3

Thanks Robin, it looks like it fixed the issue I was having with this analyzer. I have another analyzer that primarily uses regex for the protocol parsing, so I’ll try that later and verify it works as well.

Will the fix you pushed to git be available in the Bro 2.5 release, or will it be packaged and available sooner than that?

Thanks!
Josh

4

Well, later turned out to come a lot sooner than I thought. I tested it with my second analyzer plugin and all is well. Thanks again!

Josh