Ah, I didn't catch those commits. Updated to use both, and so far (*knock on wood*) it hasn't crashed. Statistically speaking, the buggy code should've crashed by now. I'll continue to monitor for any issues.
Thanks, --Vlad On Nov 13, 2012, at 3:35 PM, "Siwek, Jonathan Luke" <[email protected]> wrote: > > On Nov 13, 2012, at 1:11 PM, Vlad Grigorescu <[email protected]> wrote: > >> I'm still seeing crashes with this commit (trace included below). Should I >> open a new ticket for this? I don't want to latch onto the merge request at >> #917 unnecessarily. Thanks, > > Did you also checkout the changes I did in the aux/binpac repo (I did changes > in branch "topic/jsiwek/modbus-fixes" in both bro and aux/binpac) ? > > That stack trace looks similar to something I encountered that needed a > change in binpac. > > Jon > >> [New LWP 3282] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >> Core was generated by `/usr/local/bro/bin/bro -i eth4 -U .status -p broctl >> -p broctl-live -p local -p'. >> Program terminated with signal 6, Aborted. >> #0 0x00007f46f893f425 in raise () from /lib/x86_64-linux-gnu/libc.so.6 >> >> Thread 1 (Thread 0x7f46fac7e780 (LWP 3282)): >> #0 0x00007f46f893f425 in raise () from /lib/x86_64-linux-gnu/libc.so.6 >> #1 0x00007f46f8942b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6 >> #2 0x00007f46f89380ee in ?? () from /lib/x86_64-linux-gnu/libc.so.6 >> #3 0x00007f46f8938192 in __assert_fail () from >> /lib/x86_64-linux-gnu/libc.so.6 >> #4 0x000000000068cd9f in ClearPreviousData (this=<optimized out>) at >> /home/bro/src/bro/aux/binpac/lib/binpac_buffer.cc:213 >> #5 binpac::FlowBuffer::ClearPreviousData (this=<optimized out>) at >> /home/bro/src/bro/aux/binpac/lib/binpac_buffer.cc:208 >> #6 0x000000000068d246 in binpac::FlowBuffer::NewData (this=0xb1b08c0, >> begin=0xbfcf7a0 "\300\205", end=0xbfcf7ad "") at >> /home/bro/src/bro/aux/binpac/lib/binpac_buffer.cc:176 >> #7 0x0000000000503ce0 in binpac::ModbusTCP::ModbusTCP_Flow::NewData >> (this=0x46c1f90, t_begin_of_data=<optimized out>, t_end_of_data=<optimized >> out>) at /home/bro/src/bro/build/src/modbus_pac.cc:2867 >> #8 0x000000000052169d in Analyzer::NextStream (this=0xb1a3640, >> len=<optimized out>, data=<optimized out>, is_orig=<optimized out>) at >> /home/bro/src/bro/src/Analyzer.cc:369 >> #9 0x00000000005222b6 in Analyzer::ForwardStream (this=0xb19b240, len=13, >> data=0xbfcf7a0 "\300\205", is_orig=false) at >> /home/bro/src/bro/src/Analyzer.cc:456 >> #10 0x0000000000646e80 in TCP_Reassembler::DeliverBlock (this=0x5fdf8c0, >> seq=15, len=13, data=0xbfcf7a0 "\300\205") at >> /home/bro/src/bro/src/TCP_Reassembler.cc:618 >> #11 0x00000000006471aa in BlockInserted (start_block=<optimized out>, >> this=<optimized out>) at /home/bro/src/bro/src/TCP_Reassembler.cc:359 >> #12 TCP_Reassembler::BlockInserted (this=0x5fdf8c0, start_block=<optimized >> out>) at /home/bro/src/bro/src/TCP_Reassembler.cc:334 >> #13 0x0000000000646d28 in TCP_Reassembler::DataSent (this=0x5fdf8c0, >> t=<optimized out>, seq=<optimized out>, len=<optimized out>, data=<optimized >> out>, replaying=<optimized out>) at >> /home/bro/src/bro/src/TCP_Reassembler.cc:458 >> #14 0x0000000000645cc6 in TCP_Endpoint::DataSent (this=0xb1a8790, >> t=<optimized out>, seq=15, len=13, caplen=13, data=0x7f46e2eefffe <Address >> 0x7f46e2eefffe out of bounds>, ip=<optimized out>, tp=0x7f46e2eeffea) at >> /home/bro/src/bro/src/TCP_Endpoint.cc:183 >> #15 0x00000000006446f8 in TCP_Analyzer::DeliverPacket (this=0xb19b240, >> len=13, data=0x7f46e2eefffe <Address 0x7f46e2eefffe out of bounds>, >> is_orig=false, seq=<optimized out>, ip=0x7fff69511bf0, caplen=13) at >> /home/bro/src/bro/src/TCP.cc:1039 >> #16 0x0000000000521571 in Analyzer::NextPacket (this=0xb19b240, >> len=<optimized out>, data=<optimized out>, is_orig=<optimized out>, >> seq=<optimized out>, ip=<optimized out>, caplen=33) at >> /home/bro/src/bro/src/Analyzer.cc:341 >> #17 0x000000000053aa70 in Connection::NextPacket (this=<optimized out>, >> t=<optimized out>, is_orig=<optimized out>, ip=<optimized out>, >> len=<optimized out>, caplen=<optimized out>, data=<optimized out>, >> record_packet=@0x7fff69511868: 1, record_content=@0x7fff6951186c: 1, >> hdr=0x1abd040, pkt=0x7f46e2eeffc8 <Address 0x7f46e2eeffc8 out of bounds>, >> hdr_size=14) at /home/bro/src/bro/src/Conn.cc:259 >> #18 0x000000000062e2f0 in NetSessions::DoNextPacket (this=0x2bd0c00, >> t=1352833032.1424849, hdr=0x1abd040, ip_hdr=0x7fff69511bf0, >> pkt=0x7f46e2eeffc8 <Address 0x7f46e2eeffc8 out of bounds>, hdr_size=14, >> encapsulation=0x0) at /home/bro/src/bro/src/Sessions.cc:700 >> #19 0x000000000062f8c5 in NetSessions::NextPacket (this=0x2bd0c00, >> t=1352833032.1424849, hdr=0x1abd040, pkt=0x7f46e2eeffc8 <Address >> 0x7f46e2eeffc8 out of bounds>, hdr_size=14, pkt_elem=<optimized out>) at >> /home/bro/src/bro/src/Sessions.cc:238 >> #20 0x00000000005ec14b in net_packet_dispatch (t=1352833032.1424849, >> hdr=0x1abd040, pkt=0x7f46e2eeffc8 <Address 0x7f46e2eeffc8 out of bounds>, >> hdr_size=14, src_ps=0x1abd000, pkt_elem=0x0) at >> /home/bro/src/bro/src/Net.cc:353 >> #21 0x00000000005fb0cf in Process (this=0x1abd000) at >> /home/bro/src/bro/src/PktSrc.cc:303 >> #22 PktSrc::Process (this=0x1abd000) at /home/bro/src/bro/src/PktSrc.cc:175 >> #23 0x00000000005ec547 in net_run () at /home/bro/src/bro/src/Net.cc:446 >> #24 0x00000000004c06ea in main (argc=<optimized out>, argv=<optimized out>) >> at /home/bro/src/bro/src/main.cc:1073 >> >> ==== No reporter.log >> >> ==== stderr.log >> listening on eth4, capture length 8192 bytes >> >> bro: /home/bro/src/bro/aux/binpac/lib/binpac_buffer.cc:213: void >> binpac::FlowBuffer::ClearPreviousData(): Assertion `buffer_n_ == 0' failed. >> /usr/local/bro/share/broctl/scripts/run-bro: line 60: 3282 Aborted >> (core dumped) nohup $mybro $@ >> >> >> >> On Nov 13, 2012, at 1:12 PM, Jonathan Siwek <[email protected]> wrote: >> >>> Repository : ssh://[email protected]/bro >>> >>> On branch : topic/jsiwek/modbus-fixes >>> Link : >>> http://tracker.bro-ids.org/bro/changeset/fd5eb23fa6ac654471d71645eb37dacc6d45896b/bro >>> >>>> --------------------------------------------------------------- >>> >>> commit fd5eb23fa6ac654471d71645eb37dacc6d45896b >>> Author: Jon Siwek <[email protected]> >>> Date: Tue Nov 13 12:09:14 2012 -0600 >>> >>> Remove byte count parameter from modbus events carrying register arrays >>> >>> Instead of these events being generated for invalid byte count values >>> (they should always be even, not odd), a protocol_violation is raised. >>> >>> modbus_read_holding_registers_response >>> modbus_read_input_registers_response >>> modbus_write_multiple_registers_request >>> modbus_read_write_multiple_registers_request >>> modbus_read_write_multiple_registers_response >>> modbus_read_fifo_queue_respons >>> >>> >>>> --------------------------------------------------------------- >>> >>> fd5eb23fa6ac654471d71645eb37dacc6d45896b >>> scripts/policy/protocols/modbus/track-memmap.bro | 2 +- >>> src/event.bif | 24 ++------- >>> src/modbus-analyzer.pac | 50 >>> +++++++++++++++++-- >>> .../output | 5 +- >>> .../btest/scripts/base/protocols/modbus/events.bro | 12 ++-- >>> .../base/protocols/modbus/register_parsing.bro | 9 ++-- >>> 6 files changed, 64 insertions(+), 38 deletions(-) >>> >>> diff --git a/scripts/policy/protocols/modbus/track-memmap.bro >>> b/scripts/policy/protocols/modbus/track-memmap.bro >>> index cc02ce9..fc02d9b 100644 >>> --- a/scripts/policy/protocols/modbus/track-memmap.bro >>> +++ b/scripts/policy/protocols/modbus/track-memmap.bro >>> @@ -60,7 +60,7 @@ event modbus_read_holding_registers_request(c: >>> connection, headers: ModbusHeader >>> c$modbus$track_address = start_address+1; >>> } >>> >>> -event modbus_read_holding_registers_response(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters) >>> +event modbus_read_holding_registers_response(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters) >>> { >>> local slave = c$id$resp_h; >>> >>> diff --git a/src/event.bif b/src/event.bif >>> index cc8acb1..b965c26 100644 >>> --- a/src/event.bif >>> +++ b/src/event.bif >>> @@ -6623,10 +6623,8 @@ event modbus_read_holding_registers_request%(c: >>> connection, headers: ModbusHeade >>> ## >>> ## headers: The headers for the modbus function. >>> ## >>> -## byte_count: The number of bytes in the message that comprise register >>> values. >>> -## >>> ## registers: The register values returned from the device. >>> -event modbus_read_holding_registers_response%(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters%); >>> +event modbus_read_holding_registers_response%(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters%); >>> >>> ## Generated for a Modbus read input registers request. >>> ## >>> @@ -6645,10 +6643,8 @@ event modbus_read_input_registers_request%(c: >>> connection, headers: ModbusHeaders >>> ## >>> ## headers: The headers for the modbus function. >>> ## >>> -## byte_count: The number of bytes in the message that comprise register >>> values. >>> -## >>> ## registers: The register values returned from the device. >>> -event modbus_read_input_registers_response%(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters%); >>> +event modbus_read_input_registers_response%(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters%); >>> >>> ## Generated for a Modbus write single coil request. >>> ## >>> @@ -6724,10 +6720,8 @@ event modbus_write_multiple_coils_response%(c: >>> connection, headers: ModbusHeader >>> ## >>> ## start_address: The memory address of the first register to be written. >>> ## >>> -## byte_count: The number of bytes in the message that comprise register >>> values. >>> -## >>> ## registers: The values to be written to the registers. >>> -event modbus_write_multiple_registers_request%(c: connection, headers: >>> ModbusHeaders, start_address: count, byte_count: count, registers: >>> ModbusRegisters%); >>> +event modbus_write_multiple_registers_request%(c: connection, headers: >>> ModbusHeaders, start_address: count, registers: ModbusRegisters%); >>> >>> ## Generated for a Modbus write multiple registers response. >>> ## >>> @@ -6818,10 +6812,8 @@ event modbus_mask_write_register_response%(c: >>> connection, headers: ModbusHeaders >>> ## >>> ## write_start_address: The memory address of the first register to be >>> written. >>> ## >>> -## write_byte_count: Number of bytes in message that comprise register >>> values. >>> -## >>> ## write_registers: The values to be written to the registers. >>> -event modbus_read_write_multiple_registers_request%(c: connection, >>> headers: ModbusHeaders, read_start_address: count, read_quantity: count, >>> write_start_address: count, write_byte_count: count, write_registers: >>> ModbusRegisters%); >>> +event modbus_read_write_multiple_registers_request%(c: connection, >>> headers: ModbusHeaders, read_start_address: count, read_quantity: count, >>> write_start_address: count, write_registers: ModbusRegisters%); >>> >>> ## Generated for a Modbus read/write multiple registers response. >>> ## >>> @@ -6829,10 +6821,8 @@ event >>> modbus_read_write_multiple_registers_request%(c: connection, headers: Modb >>> ## >>> ## headers: The headers for the modbus function. >>> ## >>> -## byte_count: The number of bytes in the message that comprise register >>> values. >>> -## >>> ## written_registers: The register values read from the registers specified >>> in the request. >>> -event modbus_read_write_multiple_registers_response%(c: connection, >>> headers: ModbusHeaders, byte_count: count, written_registers: >>> ModbusRegisters%); >>> +event modbus_read_write_multiple_registers_response%(c: connection, >>> headers: ModbusHeaders, written_registers: ModbusRegisters%); >>> >>> ## Generated for a Modbus read FIFO queue request. >>> ## >>> @@ -6849,10 +6839,8 @@ event modbus_read_fifo_queue_request%(c: connection, >>> headers: ModbusHeaders, sta >>> ## >>> ## headers: The headers for the modbus function. >>> ## >>> -## byte_count: The number of bytes in the message that comprise register >>> values. >>> -## >>> ## fifos: The register values read from the FIFO queue on the device. >>> -event modbus_read_fifo_queue_response%(c: connection, headers: >>> ModbusHeaders, byte_count: count, fifos: ModbusRegisters%); >>> +event modbus_read_fifo_queue_response%(c: connection, headers: >>> ModbusHeaders, fifos: ModbusRegisters%); >>> >>> ## Raised for informational messages reported via Bro's reporter framework. >>> Such >>> ## messages may be generated internally by the event engine and also by >>> other >>> diff --git a/src/modbus-analyzer.pac b/src/modbus-analyzer.pac >>> index 155da96..b03df9d 100644 >>> --- a/src/modbus-analyzer.pac >>> +++ b/src/modbus-analyzer.pac >>> @@ -135,8 +135,16 @@ refine flow ModbusTCP_Flow += { >>> # RESPONSE FC=3 >>> function deliver_ReadHoldingRegistersResponse(header: >>> ModbusTCP_TransportHeader, message: ReadHoldingRegistersResponse): bool >>> %{ >>> + if ( ${message.byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus read holding register >>> response byte count %d", ${message.byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_read_holding_registers_response ) >>> { >>> + >>> VectorVal* t = new >>> VectorVal(BifType::Vector::ModbusRegisters); >>> for ( unsigned int i=0; i < >>> ${message.registers}->size(); ++i ) >>> { >>> @@ -147,7 +155,6 @@ refine flow ModbusTCP_Flow += { >>> >>> BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(), >>> >>> connection()->bro_analyzer()->Conn(), >>> >>> HeaderToBro(header), >>> - >>> ${message.byte_count}, >>> >>> t); >>> } >>> >>> @@ -172,6 +179,13 @@ refine flow ModbusTCP_Flow += { >>> # RESPONSE FC=4 >>> function deliver_ReadInputRegistersResponse(header: >>> ModbusTCP_TransportHeader, message: ReadInputRegistersResponse): bool >>> %{ >>> + if ( ${message.byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus read input register >>> response byte count %d", ${message.byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_read_input_registers_response ) >>> { >>> VectorVal* t = new >>> VectorVal(BifType::Vector::ModbusRegisters); >>> @@ -184,7 +198,6 @@ refine flow ModbusTCP_Flow += { >>> >>> BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(), >>> >>> connection()->bro_analyzer()->Conn(), >>> >>> HeaderToBro(header), >>> - >>> ${message.byte_count}, >>> >>> t); >>> } >>> >>> @@ -309,6 +322,13 @@ refine flow ModbusTCP_Flow += { >>> # REQUEST FC=16 >>> function deliver_WriteMultipleRegistersRequest(header: >>> ModbusTCP_TransportHeader, message: WriteMultipleRegistersRequest): bool >>> %{ >>> + if ( ${message.byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus write multiple >>> registers request byte count %d", ${message.byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_write_multiple_registers_request ) >>> { >>> VectorVal * t = new >>> VectorVal(BifType::Vector::ModbusRegisters); >>> @@ -321,7 +341,7 @@ refine flow ModbusTCP_Flow += { >>> >>> BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(), >>> >>> connection()->bro_analyzer()->Conn(), >>> >>> HeaderToBro(header), >>> - >>> ${message.start_address}, ${message.byte_count}, t); >>> + >>> ${message.start_address}, t); >>> } >>> >>> return true; >>> @@ -486,6 +506,13 @@ refine flow ModbusTCP_Flow += { >>> # REQUEST FC=23 >>> function deliver_ReadWriteMultipleRegistersRequest(header: >>> ModbusTCP_TransportHeader, message: ReadWriteMultipleRegistersRequest): bool >>> %{ >>> + if ( ${message.write_byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus read write multiple >>> registers request write byte count %d", ${message.write_byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_read_write_multiple_registers_request ) >>> { >>> VectorVal* t = new >>> VectorVal(BifType::Vector::ModbusRegisters); >>> @@ -501,7 +528,6 @@ refine flow ModbusTCP_Flow += { >>> >>> ${message.read_start_address}, >>> >>> ${message.read_quantity}, >>> >>> ${message.write_start_address}, >>> - >>> ${message.write_byte_count}, >>> >>> t); >>> } >>> >>> @@ -511,6 +537,13 @@ refine flow ModbusTCP_Flow += { >>> # RESPONSE FC=23 >>> function deliver_ReadWriteMultipleRegistersResponse(header: >>> ModbusTCP_TransportHeader, message: ReadWriteMultipleRegistersResponse): >>> bool >>> %{ >>> + if ( ${message.byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus read write multiple >>> registers response byte count %d", ${message.byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_read_write_multiple_registers_response ) >>> { >>> VectorVal* t = new >>> VectorVal(BifType::Vector::ModbusRegisters); >>> @@ -523,7 +556,6 @@ refine flow ModbusTCP_Flow += { >>> >>> BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(), >>> >>> connection()->bro_analyzer()->Conn(), >>> >>> HeaderToBro(header), >>> - >>> ${message.byte_count}, >>> >>> t); >>> } >>> >>> @@ -548,6 +580,13 @@ refine flow ModbusTCP_Flow += { >>> # RESPONSE FC=24 >>> function deliver_ReadFIFOQueueResponse(header: >>> ModbusTCP_TransportHeader, message: ReadFIFOQueueResponse): bool >>> %{ >>> + if ( ${message.byte_count} % 2 != 0 ) >>> + { >>> + connection()->bro_analyzer()->ProtocolViolation( >>> + fmt("invalid value for modbus read FIFO queue >>> response byte count %d", ${message.byte_count})); >>> + return false; >>> + } >>> + >>> if ( ::modbus_read_fifo_queue_response ) >>> { >>> VectorVal* t = new VectorVal(new >>> VectorType(base_type(TYPE_COUNT))); >>> @@ -560,7 +599,6 @@ refine flow ModbusTCP_Flow += { >>> >>> BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(), >>> >>> connection()->bro_analyzer()->Conn(), >>> >>> HeaderToBro(header), >>> - >>> ${message.byte_count}, >>> t); >>> } >>> >>> diff --git >>> a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output >>> >>> b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output >>> index 353f85d..5bb5f1b 100644 >>> --- >>> a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output >>> +++ >>> b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output >>> @@ -1,5 +1,4 @@ >>> modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, >>> resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, >>> function_code=4], 900, 147 >>> -modbus_read_input_registers_response, [orig_h=10.1.1.234, >>> orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, >>> uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100, >>> 200 >>> -modbus_read_input_registers_response, [orig_h=10.1.1.234, >>> orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=6714, pid=0, >>> uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, >>> 3840, 0, 0, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 37, 0, 0, 0, 0, 0, 0, 0, 0, >>> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, >>> 0], 64, 129 >>> +modbus_read_input_registers_response, [orig_h=10.1.1.234, >>> orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, >>> uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100 >>> modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, >>> resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, >>> function_code=4], 400, 100 >>> -modbus_read_input_registers_response, [orig_h=10.1.1.234, >>> orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, >>> uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, >>> 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, >>> 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, >>> 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, >>> 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, >>> 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690], 100, 200 >>> +modbus_read_input_registers_response, [orig_h=10.1.1.234, >>> orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, >>> uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, >>> 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, >>> 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, >>> 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, >>> 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, >>> 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, >>> 43690, 43690, 43690, 43690], 100 >>> diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro >>> b/testing/btest/scripts/base/protocols/modbus/events.bro >>> index 6c47dc6..f648a0a 100644 >>> --- a/testing/btest/scripts/base/protocols/modbus/events.bro >>> +++ b/testing/btest/scripts/base/protocols/modbus/events.bro >>> @@ -41,7 +41,7 @@ event modbus_read_holding_registers_request(c: >>> connection, headers: ModbusHeader >>> print "modbus_read_holding_registers_request", c, headers, start_address, >>> quantity; >>> } >>> >>> -event modbus_read_holding_registers_response(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters) >>> +event modbus_read_holding_registers_response(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters) >>> { >>> print "modbus_read_holding_registers_response", c, headers, registers; >>> } >>> @@ -51,7 +51,7 @@ event modbus_read_input_registers_request(c: connection, >>> headers: ModbusHeaders, >>> print "modbus_read_input_registers_request", c, headers, start_address, >>> quantity; >>> } >>> >>> -event modbus_read_input_registers_response(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters) >>> +event modbus_read_input_registers_response(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters) >>> { >>> print "modbus_read_input_registers_response", c, headers, registers; >>> } >>> @@ -86,7 +86,7 @@ event modbus_write_multiple_coils_response(c: connection, >>> headers: ModbusHeaders >>> print "modbus_write_multiple_coils_response", c, headers, start_address, >>> quantity; >>> } >>> >>> -event modbus_write_multiple_registers_request(c: connection, headers: >>> ModbusHeaders, start_address: count, byte_count: count, registers: >>> ModbusRegisters) >>> +event modbus_write_multiple_registers_request(c: connection, headers: >>> ModbusHeaders, start_address: count, registers: ModbusRegisters) >>> { >>> print "modbus_write_multiple_registers_request", c, headers, >>> start_address, registers; >>> } >>> @@ -126,12 +126,12 @@ event modbus_mask_write_register_response(c: >>> connection, headers: ModbusHeaders, >>> print "modbus_mask_write_register_response", c, headers, address, >>> and_mask, or_mask; >>> } >>> >>> -event modbus_read_write_multiple_registers_request(c: connection, headers: >>> ModbusHeaders, read_start_address: count, read_quantity: count, >>> write_start_address: count, write_byte_count: count, write_registers: >>> ModbusRegisters) >>> +event modbus_read_write_multiple_registers_request(c: connection, headers: >>> ModbusHeaders, read_start_address: count, read_quantity: count, >>> write_start_address: count, write_registers: ModbusRegisters) >>> { >>> print "modbus_read_write_multiple_registers_request", c, headers, >>> read_start_address, read_quantity, write_start_address, write_registers; >>> } >>> >>> -event modbus_read_write_multiple_registers_response(c: connection, >>> headers: ModbusHeaders, byte_count: count, written_registers: >>> ModbusRegisters) >>> +event modbus_read_write_multiple_registers_response(c: connection, >>> headers: ModbusHeaders, written_registers: ModbusRegisters) >>> { >>> print "modbus_read_write_multiple_registers_response", c, headers, >>> written_registers; >>> } >>> @@ -141,7 +141,7 @@ event modbus_read_fifo_queue_request(c: connection, >>> headers: ModbusHeaders, star >>> print "modbus_read_fifo_queue_request", c, headers, start_address; >>> } >>> >>> -event modbus_read_fifo_queue_response(c: connection, headers: >>> ModbusHeaders, byte_count: count, fifos: ModbusRegisters) >>> +event modbus_read_fifo_queue_response(c: connection, headers: >>> ModbusHeaders, fifos: ModbusRegisters) >>> { >>> print "modbus_read_fifo_queue_response", c, headers, fifos; >>> } >>> diff --git >>> a/testing/btest/scripts/base/protocols/modbus/register_parsing.bro >>> b/testing/btest/scripts/base/protocols/modbus/register_parsing.bro >>> index 300dd75..1641860 100644 >>> --- a/testing/btest/scripts/base/protocols/modbus/register_parsing.bro >>> +++ b/testing/btest/scripts/base/protocols/modbus/register_parsing.bro >>> @@ -6,15 +6,16 @@ >>> # of register values, with the quantity being derived from a byte count >>> value >>> # that is also sent. If the byte count value is invalid (e.g. an odd value >>> # might not be valid since registers must be 2-byte values), then the parser >>> -# should not trigger any asserts, but the resulting event could indicate >>> -# the strangeness (i.e. byte_count != 2*|registers|). >>> +# should not trigger any asserts, but generate a protocol_violation (in >>> this >>> +# case TCP_ApplicationAnalyzer::ProtocolViolation asserts its behavior for >>> +# incomplete connections). >>> >>> event modbus_read_input_registers_request(c: connection, headers: >>> ModbusHeaders, start_address: count, quantity: count) >>> { >>> print "modbus_read_input_registers_request", c$id, headers, >>> start_address, quantity; >>> } >>> >>> -event modbus_read_input_registers_response(c: connection, headers: >>> ModbusHeaders, byte_count: count, registers: ModbusRegisters) >>> +event modbus_read_input_registers_response(c: connection, headers: >>> ModbusHeaders, registers: ModbusRegisters) >>> { >>> - print "modbus_read_input_registers_response", c$id, headers, registers, >>> |registers|, byte_count; >>> + print "modbus_read_input_registers_response", c$id, headers, registers, >>> |registers|; >>> } >>> >>> _______________________________________________ >>> bro-commits mailing list >>> [email protected] >>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits >> >> >> _______________________________________________ >> bro-dev mailing list >> [email protected] >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >> > > > _______________________________________________ > bro-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
