Protocols in protocols


I’m writing an analyzer for a few protocols which may or may not be layered. That is, a packet may be IP|TCP|ProtoA|ProtoB, or IP|TCP|ProtoC|ProtoB, or IP|TCP|ProtoB, and perhaps other variations. I envision writing separate protocol analyzers for each of those protocols instead of having to account for all the variations in one protocol analyzer. Does Bro/binPAC allow for this, and if so how? If it makes a difference, in this case most of the protocols cannot have useful DPD signatures.

For protocols that sit inside a transport protocol (TCP/UDP), it’s typical to write a DPD signature and/or have a script that calls [1] to have Bro automatically instantiate and manage an analyzer for the inner protocol (e.g. Proto{A,B,C}). If those may encapsulate a known application-layer protocol, then it may just be a matter of putting code inside those outer analyzers to do their own instantiation/management of some inner analyzer (e.g. ProtoB) and feed it the appropriate data. But if the inner protocol can be another IPv4/IPv6 packet or an arbitrary application-layer protocol, it needs a different treatment. I can elaborate if that's the situation.

- Jon


Okay let me use a specific case that exemplifies what I¹m hoping to do.
Take a DCERPC packet that is transported over directed hosted SMB2 over
TCP/IP. The packet headers look like this: Ethernet|IP|TCP|NetBIOS

Taking what you said, I would instantiate the SMB2 analyzer when
processing the NetBIOS stub, and I would instantiate the DCERPC analyzer
when processing SMB2. I¹m willing to do that. So how does one
instantiate/feed data to the inner protocol?

There’s not necessarily a particular way it has to be done. If the inner protocols are implementing the Analyzer interface, it might be as simple as “smb2 = new SMB2_Analyzer(Conn()); smb2->DeliverStream(data_len, data, is_orig);”. But depending on protocol complexities, there might be a lot more code involved in how you choose to glue/chain analyzers together.

There is some NetBIOS/SMB/DCERPC code sitting around in Bro that might still be useful to you for getting ideas of how analyzer/parsers can interact w/ one another. Another example is the FTP analyzer, which also does some simple SSL processing of ADAT commands and ties the FTP and SSL analyzers together through just the interface of the Analyzer base class and an additional SupportAnalyzer.

- Jon