From f933899b172647c58779ed914612ba182612b659 Mon Sep 17 00:00:00 2001
From: Hui Lin <hlin33@illinois.edu>
Date: Fri, 26 Sep 2014 14:47:51 -0500
Subject: [PATCH] adding a function in dnp3-analyzer.pac to translate the time
 stamp format

---
 src/analyzer/protocol/dnp3/dnp3-analyzer.pac  | 44 ++++++++++++++-----
 src/analyzer/protocol/dnp3/events.bif         | 24 +++++-----
 .../scripts/base/protocols/dnp3/events.bro    | 24 +++++-----
 3 files changed, 56 insertions(+), 36 deletions(-)

diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
index 2ae783c82e..bccf1376e4 100644
--- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
@@ -4,6 +4,26 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
 	downflow = DNP3_Flow(false);
 };
 
+%header{
+    uint64 bytestring_to_time(const_bytestring time48);
+    %}
+
+%code{
+    uint64 bytestring_to_time(const_bytestring time48)
+        {
+        /* in DNP3, time stamp is represented by 6 bytes to epoch in millisecond */
+        /* 6 bytes are stored following big endian format */
+        uint64 epochTime = 0;
+
+        for ( uint i = 0 ; i < 6; i++)
+            {
+            epochTime = time48[5-i] + epochTime * 256;
+            }
+
+        return epochTime;
+        }
+    %}
+
 flow DNP3_Flow(is_orig: bool) {
 	flowunit = DNP3_PDU(is_orig) withcontext (connection, this);
 
@@ -222,7 +242,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, count_value, bytestring_to_val(time48));
+				is_orig(), flag, count_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -236,7 +256,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, count_value, bytestring_to_val(time48));
+				is_orig(), flag, count_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -390,7 +410,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -404,7 +424,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -502,7 +522,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_analog_input_event_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, value, bytestring_to_val(time48));
+				is_orig(), flag, value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -516,7 +536,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_analog_input_event_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, value, bytestring_to_val(time48));
+				is_orig(), flag, value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -558,7 +578,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_analog_input_event_SPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, value, bytestring_to_val(time48));
+				is_orig(), flag, value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -572,7 +592,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_analog_input_event_DPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, value_low, value_high, bytestring_to_val(time48));
+				is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -614,7 +634,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -628,7 +648,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -670,7 +690,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value, bytestring_to_time(time48));
 			}
 
 		return true;
@@ -684,7 +704,7 @@ flow DNP3_Flow(is_orig: bool) {
 			BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_val(time48));
+				is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif
index 80f9504a9e..18fc42d6f7 100644
--- a/src/analyzer/protocol/dnp3/events.bif
+++ b/src/analyzer/protocol/dnp3/events.bif
@@ -130,11 +130,11 @@ event dnp3_frozen_counter_16wFlag%(c: connection, is_orig: bool, flag:count, cou
 
 ## Generated for DNP3 objects with the group number 21 and variation number 5
 ## frozen counter 32 bit with flag and time
-event dnp3_frozen_counter_32wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
+event dnp3_frozen_counter_32wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 21 and variation number 6
 ## frozen counter 16 bit with flag and time
-event dnp3_frozen_counter_16wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
+event dnp3_frozen_counter_16wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 21 and variation number 9
 ## frozen counter 32 bit without flag
@@ -178,11 +178,11 @@ event dnp3_frozen_analog_input_16wFlag%(c: connection, is_orig: bool, flag: coun
 
 ## Generated for DNP3 objects with the group number 31 and variation number 3
 ## frozen analog input 32 bit with time-of-freeze
-event dnp3_frozen_analog_input_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+event dnp3_frozen_analog_input_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 31 and variation number 4
 ## frozen analog input 16 bit with time-of-freeze
-event dnp3_frozen_analog_input_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+event dnp3_frozen_analog_input_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 31 and variation number 5
 ## frozen analog input 32 bit without flag
@@ -210,11 +210,11 @@ event dnp3_analog_input_event_16woTime%(c: connection, is_orig: bool, flag: coun
 
 ## Generated for DNP3 objects with the group number 32 and variation number 3
 ## analog input event 32 bit with time
-event dnp3_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+event dnp3_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 32 and variation number 4
 ## analog input event 16 bit with time
-event dnp3_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+event dnp3_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 32 and variation number 5
 ## analog input event single-precision float point without time
@@ -226,11 +226,11 @@ event dnp3_analog_input_event_DPwoTime%(c: connection, is_orig: bool, flag: coun
 
 ## Generated for DNP3 objects with the group number 32 and variation number 7
 ## analog input event single-precision float point with time
-event dnp3_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
+event dnp3_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 32 and variation number 8
 ## analog input event double-precisiion float point with time
-event dnp3_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string%);
+event dnp3_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 33 and variation number 1
 ## frozen analog input event 32 bit without time
@@ -242,11 +242,11 @@ event dnp3_frozen_analog_input_event_16woTime%(c: connection, is_orig: bool, fla
 
 ## Generated for DNP3 objects with the group number 33 and variation number 3
 ## frozen analog input event 32 bit with time
-event dnp3_frozen_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+event dnp3_frozen_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 33 and variation number 4
 ## frozen analog input event 16 bit with time
-event dnp3_frozen_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+event dnp3_frozen_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 33 and variation number 5
 ## frozen analog input event single-precision float point without time
@@ -258,11 +258,11 @@ event dnp3_frozen_analog_input_event_DPwoTime%(c: connection, is_orig: bool, fla
 
 ## Generated for DNP3 objects with the group number 33 and variation number 7
 ## frozen analog input event single-precision float point with time
-event dnp3_frozen_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
+event dnp3_frozen_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);
 
 ## Generated for DNP3 objects with the group number 34 and variation number 8
 ## frozen analog input event double-precision float point with time
-event dnp3_frozen_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string%);
+event dnp3_frozen_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count%);
 
 ## g70
 event dnp3_file_transport%(c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string%);
diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.bro
index aff5191d7f..9c968bdaac 100644
--- a/testing/btest/scripts/base/protocols/dnp3/events.bro
+++ b/testing/btest/scripts/base/protocols/dnp3/events.bro
@@ -82,12 +82,12 @@ event dnp3_frozen_counter_16wFlag(c: connection, is_orig: bool, flag:count, coun
 	print "dnp3_frozen_counter_16wFlag", is_orig, flag;
 	}
 
-event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
 	{
 	print "dnp3_frozen_counter_32wFlagTime", is_orig, flag;
 	}
 
-event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
 	{
 	print "dnp3_frozen_counter_16wFlagTime", is_orig, flag;
 	}
@@ -142,12 +142,12 @@ event dnp3_frozen_analog_input_16wFlag(c: connection, is_orig: bool, flag: count
 	print "dnp3_frozen_analog_input_16wFlag", is_orig, flag, frozen_value;
 	}
 
-event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_32wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_16wTime", is_orig, flag, frozen_value, time48;
 	}
@@ -182,12 +182,12 @@ event dnp3_analog_input_event_16woTime(c: connection, is_orig: bool, flag: count
 	print "dnp3_analog_input_event_16woTime", is_orig, flag, value;
 	}
 
-event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_32wTime", is_orig, flag, value, time48;
 	}
 
-event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_16wTime", is_orig, flag, value, time48;
 	}
@@ -202,12 +202,12 @@ event dnp3_analog_inputDP_woTime(c: connection, is_orig: bool, flag: count, valu
 	print "dnp3_analog_input_event_DPwoTime", is_orig, flag, value_low, value_high;
 	}
 
-event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_SPwTime", is_orig, flag, value, time48;
 	}
 
-event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string)
+event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)
 	{
 	print "dnp3_analog_input_event_DPwTime", is_orig, flag, value_low, value_high, time48;
 	}
@@ -222,12 +222,12 @@ event dnp3_frozen_analog_input_event_16woTime(c: connection, is_orig: bool, flag
 	print "dnp3_frozen_analog_input_event_16woTime", is_orig, flag, frozen_value;
 	}
 
-event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_event_32wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_event_16wTime", is_orig, flag, frozen_value, time48;
 	}
@@ -242,12 +242,12 @@ event dnp3_frozen_analog_input_event_DPwoTime(c: connection, is_orig: bool, flag
 	print "dnp3_frozen_analog_input_event_DPwoTime", is_orig, flag, frozen_value_low, frozen_value_high;
 	}
 
-event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_inputeventSP_wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string)
+event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)
 	{
 	print "dnp3_frozen_analog_inputeventDP_wTime", is_orig, flag, frozen_value_low, frozen_value_high, time48;
 	}