From 6af87dc2c8780bc10e4da5632d940791616cb10f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 Apr 2015 13:13:24 -0500 Subject: [PATCH] BIT-1343: factor common ASN.1 code from RDP and SNMP analyzer. --- src/analyzer/protocol/asn1/asn1.pac | 62 ++++++++++++++++++++ src/analyzer/protocol/rdp/rdp-protocol.pac | 61 +------------------ src/analyzer/protocol/snmp/snmp-protocol.pac | 57 +----------------- 3 files changed, 66 insertions(+), 114 deletions(-) create mode 100644 src/analyzer/protocol/asn1/asn1.pac diff --git a/src/analyzer/protocol/asn1/asn1.pac b/src/analyzer/protocol/asn1/asn1.pac new file mode 100644 index 0000000000..544ac21409 --- /dev/null +++ b/src/analyzer/protocol/asn1/asn1.pac @@ -0,0 +1,62 @@ +############################## ASN.1 Encodings + +enum ASN1TypeTag { + ASN1_INTEGER_TAG = 0x02, + ASN1_OCTET_STRING_TAG = 0x04, + ASN1_NULL_TAG = 0x05, + ASN1_OBJECT_IDENTIFIER_TAG = 0x06, + ASN1_SEQUENCE_TAG = 0x30, +}; + +type ASN1Encoding = record { + meta: ASN1EncodingMeta; + content: bytestring &length = meta.length; +}; + +type ASN1EncodingMeta = record { + tag: uint8; + len: uint8; + more_len: bytestring &length = long_len ? len & 0x7f : 0; +} &let { + long_len: bool = len & 0x80; + length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f; +}; + +type ASN1SequenceMeta = record { + encoding: ASN1EncodingMeta; +}; + +type ASN1Integer = record { + encoding: ASN1Encoding; +}; + +type ASN1OctetString = record { + encoding: ASN1Encoding; +}; + +type ASN1ObjectIdentifier = record { + encoding: ASN1Encoding; +}; + +type ASN1Boolean = record { + encoding: ASN1Encoding; +}; + +type ASN1Enumerated = record { + encoding: ASN1Encoding; +}; + +############################## ASN.1 Conversion Functions + +function binary_to_int64(bs: bytestring): int64 + %{ + int64 rval = 0; + + for ( int i = 0; i < bs.length(); ++i ) + { + uint64 byte = bs[i]; + rval |= byte << (8 * (bs.length() - (i + 1))); + } + + return rval; + %} diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index adb13948ef..7047b5a8ba 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -1,3 +1,4 @@ +%include ../asn1/asn1.pac type TPKT(is_orig: bool) = record { version: uint8; @@ -326,64 +327,6 @@ type X509_Cert_Data = record { cert: bytestring &length=cert_len; } &byteorder=littleendian; -###################################################################### -# ASN.1 Encodings -###################################################################### - -type ASN1Encoding = record { - meta: ASN1EncodingMeta; - content: bytestring &length = meta.length; -}; - -type ASN1EncodingMeta = record { - tag: uint8; - len: uint8; - more_len: bytestring &length = long_len ? len & 0x7f : 0; -} &let { - long_len: bool = (len & 0x80) > 0; - length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f; -}; - -type ASN1SequenceMeta = record { - encoding: ASN1EncodingMeta; -}; - -type ASN1Integer = record { - encoding: ASN1Encoding; -}; - -type ASN1OctetString = record { - encoding: ASN1Encoding; -}; - -type ASN1ObjectIdentifier = record { - encoding: ASN1Encoding; -}; - -type ASN1Boolean = record { - encoding: ASN1Encoding; -}; - -type ASN1Enumerated = record { - encoding: ASN1Encoding; -}; - -###################################################################### -# ASN.1 Conversion Functions -###################################################################### - -function binary_to_int64(bs: bytestring): int64 - %{ - int64 rval = 0; - for ( int i = 0; i < bs.length(); ++i ) - { - uint64 byte = bs[i]; - rval |= byte << (8 * (bs.length() - (i + 1))); - } - - return rval; - %} - refine connection RDP_Conn += { %member{ @@ -420,4 +363,4 @@ refine connection RDP_Conn += { %{ return encryption_method_; %} -}; \ No newline at end of file +}; diff --git a/src/analyzer/protocol/snmp/snmp-protocol.pac b/src/analyzer/protocol/snmp/snmp-protocol.pac index 8d9b602ea2..f498271b72 100644 --- a/src/analyzer/protocol/snmp/snmp-protocol.pac +++ b/src/analyzer/protocol/snmp/snmp-protocol.pac @@ -8,6 +8,8 @@ # used. Primitive or non-constructor encodings are preferred over # constructor encodings. +%include ../asn1/asn1.pac + type TopLevelMessage(is_orig: bool) = record { asn1_sequence_meta: ASN1SequenceMeta; version: ASN1Integer; @@ -215,58 +217,3 @@ enum VarBindNullTag { VARBIND_NOSUCHINSTANCE_TAG = 0x81, VARBIND_ENDOFMIBVIEW_TAG = 0x82, }; - -############################## ASN.1 Encodings - -enum ASN1TypeTag { - ASN1_INTEGER_TAG = 0x02, - ASN1_OCTET_STRING_TAG = 0x04, - ASN1_NULL_TAG = 0x05, - ASN1_OBJECT_IDENTIFIER_TAG = 0x06, - ASN1_SEQUENCE_TAG = 0x30, -}; - -type ASN1Encoding = record { - meta: ASN1EncodingMeta; - content: bytestring &length = meta.length; -}; - -type ASN1EncodingMeta = record { - tag: uint8; - len: uint8; - more_len: bytestring &length = long_len ? len & 0x7f : 0; -} &let { - long_len: bool = len & 0x80; - length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f; -}; - -type ASN1SequenceMeta = record { - encoding: ASN1EncodingMeta; -}; - -type ASN1Integer = record { - encoding: ASN1Encoding; -}; - -type ASN1OctetString = record { - encoding: ASN1Encoding; -}; - -type ASN1ObjectIdentifier = record { - encoding: ASN1Encoding; -}; - -############################## ASN.1 Conversion Functions - -function binary_to_int64(bs: bytestring): int64 - %{ - int64 rval = 0; - - for ( int i = 0; i < bs.length(); ++i ) - { - uint64 byte = bs[i]; - rval |= byte << (8 * (bs.length() - (i + 1))); - } - - return rval; - %}