In support of submitting the ICAP Analyzer as a Bro Package, I am porting the ICAP
Analyzer to build as a dynamic Plugin. Originally, I inserted the ICAP Analyzer straight
into the source code tree, under /src/analyzer/protocol/icap, and compiled it as part of
the Bro core. But in an effort to make it easier for others to integrate into their
existing Bro instantiations, I am making the effort to make it a stand-alone Plugin
instead... but the BinPAC parser is not working when I run it as a Plugin.
The Plugin builds and installs without error, and I verify that the Plugin is enabled and
that my ICAP main.bro script is loaded, but it is not producing any ICAP or HTTP related
(a) It appears that the parser is not recognizing the ICAP Request messages
(b) It starts to parse the ICAP Response messages; but it breaks mid-way thru the
I think the problem is within the BinPAC files where I use regular expressions to define a
data element within the ICAP packet structures/records. In the ICAP Request message, the
very first element is a regex pattern, so that's why it fails to parse these packets
at all. In the ICAP Response message, it parses the first element correctly, but then it
bombs on the second element, which is a regex pattern.
In the BinPAC help/reference document, it contains a section titled, "Running
Binpac-Generated Analyzer Standalone"
which states that to run binpac-generated code independent of Bro, the regex library must
be substituted... I presume the stand-alone guidance applies to the Plugin? It must
because I did not have this trouble when I built the analyzer straight into the Bro core.
The regex library guidance says I need to include three header files: RE.h, bro-dummy.h,
and binpac_pcre.h. You provide sample code for each file. Am I to copy-n-paste the
sample code directly into my Plugin source code as three new headers files? Or do these
three files exist elsewhere in the Bro source? I can find "RE.h" in the source
(/src/RE.h). And I can find "binpac_regex.h" in the source
(/aux/binpac/lib/binpac_regex.h), which seems similar, but I cannot find
"binpac_pcre.h" nor "bro_dummy.h" anywhere.
I need a little bit of advice... or a lot of advice :) Can I use RE.h and binpac_regex.h
that exist in the Bro 2.4.1 distro? Or do I need to create the three header files and
paste the sample code verbatim?
Mark I. Fernandez
MITRE is a not-for-profit corporation that operates
several Federally Funded Research and Development
Centers (FFRDCs) in the interests of the US Government.