Protocols in protocols

Eric_Thomas · March 26, 2014, 4:49pm

Hello,

I’m writing an analyzer for a few protocols which may or may not be layered. That is, a packet may be IP|TCP|ProtoA|ProtoB, or IP|TCP|ProtoC|ProtoB, or IP|TCP|ProtoB, and perhaps other variations. I envision writing separate protocol analyzers for each of those protocols instead of having to account for all the variations in one protocol analyzer. Does Bro/binPAC allow for this, and if so how? If it makes a difference, in this case most of the protocols cannot have useful DPD signatures.

Siwek_Jon · March 26, 2014, 6:34pm

For protocols that sit inside a transport protocol (TCP/UDP), it’s typical to write a DPD signature and/or have a script that calls [1] to have Bro automatically instantiate and manage an analyzer for the inner protocol (e.g. Proto{A,B,C}). If those may encapsulate a known application-layer protocol, then it may just be a matter of putting code inside those outer analyzers to do their own instantiation/management of some inner analyzer (e.g. ProtoB) and feed it the appropriate data. But if the inner protocol can be another IPv4/IPv6 packet or an arbitrary application-layer protocol, it needs a different treatment. I can elaborate if that's the situation.

- Jon

[1] http://bro.org/sphinx/scripts/base/frameworks/analyzer/main.html#id-Analyzer::register_for_ports

Eric_Thomas · March 26, 2014, 6:45pm

Okay let me use a specific case that exemplifies what I¹m hoping to do.
Take a DCERPC packet that is transported over directed hosted SMB2 over
TCP/IP. The packet headers look like this: Ethernet|IP|TCP|NetBIOS
stub>SMB2|DCERPC.

Taking what you said, I would instantiate the SMB2 analyzer when
processing the NetBIOS stub, and I would instantiate the DCERPC analyzer
when processing SMB2. I¹m willing to do that. So how does one
instantiate/feed data to the inner protocol?

Siwek_Jon · March 26, 2014, 9:05pm

There’s not necessarily a particular way it has to be done. If the inner protocols are implementing the Analyzer interface, it might be as simple as “smb2 = new SMB2_Analyzer(Conn()); smb2->DeliverStream(data_len, data, is_orig);”. But depending on protocol complexities, there might be a lot more code involved in how you choose to glue/chain analyzers together.

There is some NetBIOS/SMB/DCERPC code sitting around in Bro that might still be useful to you for getting ideas of how analyzer/parsers can interact w/ one another. Another example is the FTP analyzer, which also does some simple SSL processing of ADAT commands and ties the FTP and SSL analyzers together through just the interface of the Analyzer base class and an additional SupportAnalyzer.

- Jon

Topic		Replies	Views
Implementing new layer 2 Protocol Zeek	2	100	May 6, 2022
Packet Signature, Protocol, and Analyzer Relationship Development development	2	78	May 6, 2022
Requesting some pointers- Adding a new protocol to BRO- Facing problems Zeek	3	73	May 6, 2022
Detecting protocols without full analyzers Development development	3	92	May 6, 2022
what application layer protocols could Bro-2.1 identify using its default configuration? Zeek	2	76	May 6, 2022

Protocols in protocols

Related topics