Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add NCP::max_frame_size tuning option

Browse source 
This helps prevent excessive allocations based on message lengths
taken from NCP headers.
This commit is contained in:
Jon Siwek 2018-05-22 18:27:52 -05:00
parent e35da5f592
commit 58864c358c
7 changed files with 487 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/base/init-bare.bro
View file

@ -4806,6 +4806,12 @@ export {
const max_frag_data = 30000 &redef; const max_frag_data = 30000 &redef;
} }
module NCP;
export {
## The maximum number of bytes to allocate when parsing NCP frames.
const max_frame_size = 65536 &redef;
}
module Cluster; module Cluster;
export { export {
type Cluster::Pool: record {}; type Cluster::Pool: record {};

2
src/analyzer/protocol/ncp/CMakeLists.txt
View file

@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
bro_plugin_begin(Bro NCP) bro_plugin_begin(Bro NCP)
bro_plugin_cc(NCP.cc Plugin.cc) bro_plugin_cc(NCP.cc Plugin.cc)
bro_plugin_bif(events.bif) bro_plugin_bif(events.bif consts.bif)
bro_plugin_pac(ncp.pac) bro_plugin_pac(ncp.pac)
bro_plugin_end() bro_plugin_end()

44
src/analyzer/protocol/ncp/NCP.cc
View file

@ -9,6 +9,7 @@
#include "NCP.h" #include "NCP.h"
#include "events.bif.h" #include "events.bif.h"
#include "consts.bif.h"
using namespace std; using namespace std;
using namespace analyzer::ncp; using namespace analyzer::ncp;
@ -105,13 +106,12 @@ void FrameBuffer::Reset()
msg_len = 0; msg_len = 0;
} }
// Returns true if we have a complete frame int FrameBuffer::Deliver(int &len, const u_char* &data)
bool FrameBuffer::Deliver(int &len, const u_char* &data)
{ {
ASSERT(buf_len >= hdr_len); ASSERT(buf_len >= hdr_len);
if ( len == 0 ) if ( len == 0 )
return false; return -1;
if ( buf_n < hdr_len ) if ( buf_n < hdr_len )
{ {
@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
} }
if ( buf_n < hdr_len ) if ( buf_n < hdr_len )
return false; return -1;
compute_msg_length(); compute_msg_length();
if ( msg_len > buf_len ) if ( msg_len > buf_len )
{ {
buf_len = msg_len * 2; if ( msg_len > BifConst::NCP::max_frame_size )
return 1;
buf_len = msg_len;
u_char* new_buf = new u_char[buf_len]; u_char* new_buf = new u_char[buf_len];
memcpy(new_buf, msg_buf, buf_n); memcpy(new_buf, msg_buf, buf_n);
delete [] msg_buf; delete [] msg_buf;
@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
++buf_n; ++data; --len; ++buf_n; ++data; --len;
} }
return buf_n >= msg_len; if ( buf_n < msg_len )
return -1;
if ( buf_n == msg_len )
return 0;
return 1;
} }
void NCP_FrameBuffer::compute_msg_length() void NCP_FrameBuffer::compute_msg_length()
@ -203,10 +212,27 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
resync = false; resync = false;
} }
while ( buffer.Deliver(len, data) ) for ( ; ; )
{ {
session->Deliver(IsOrig(), buffer.Len(), buffer.Data()); auto result = buffer.Deliver(len, data);
buffer.Reset();
if ( result < 0 )
break;
if ( result == 0 )
{
session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
buffer.Reset();
}
else
{
// The rest of the data available in this delivery will
// be discarded and will need to resync to a new frame header.
Weird("ncp_large_frame");
buffer.Reset();
resync = true;
break;
}
} }
} }

11
src/analyzer/protocol/ncp/NCP.h
View file

@ -54,8 +54,9 @@ public:
explicit FrameBuffer(int header_length); explicit FrameBuffer(int header_length);
virtual ~FrameBuffer(); virtual ~FrameBuffer();
// Returns true if a frame is ready // Returns -1 if frame is not ready, 0 if it else, and 1 if
bool Deliver(int& len, const u_char* &data); // the frame would require too large of a buffer allocation.
int Deliver(int& len, const u_char* &data);
void Reset(); void Reset();
@ -68,9 +69,9 @@ protected:
int hdr_len; int hdr_len;
u_char* msg_buf; u_char* msg_buf;
int msg_len; uint64 msg_len;
int buf_n; // number of bytes in msg_buf size_t buf_n; // number of bytes in msg_buf
int buf_len; // size off msg_buf size_t buf_len; // size off msg_buf
}; };
#define NCP_TCPIP_HEADER_LENGTH 8 #define NCP_TCPIP_HEADER_LENGTH 8

1
src/analyzer/protocol/ncp/consts.bif Normal file
View file

@ -0,0 +1 @@
const NCP::max_frame_size: count;

418
testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out Normal file
View file

@ -0,0 +1,418 @@
ncp reply, 13107, 70, 0, 0, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 46, 89
ncp reply, 13107, 88, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 11, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 102, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 6, 22338
ncp reply, 13107, 10, 8738, 22338, 0
ncp request, 8738, 14, 72
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 14, 72
ncp request, 8738, 14, 72

20
testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro Normal file
View file

@ -0,0 +1,20 @@
# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
# @TEST-EXEC: btest-diff out
redef likely_server_ports += { 524/tcp };
event bro_init()
{
const ports = { 524/tcp };
Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
}
event ncp_request(c: connection, frame_type: count, length: count, func: count)
{
print "ncp request", frame_type, length, func;
}
event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
{
print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
}