I'd love to see these operations built into Bro. However, considering Bro's focus on scale, individual c2 operations analysis (especially when applied to specific connections within a large pipe) may be better suited for something like chopshop or another framework focussed on individual connections. Any other opinions?


On May 23, 2014 10:52 PM, "M K" <mkhan04@gmail.com> wrote:
My method was to take a string of bytes and convert them to integral types I wanted.

So if I received a 'string' type in a function I could do:

local foo1 = bytestring_to_count(sub_bytes(string, 0, 4));
local foo2 = bytestring_to_count(sub_bytes(string, 4, 2));
local foo3 = bytestring_to_count(sub_bytes(string, 6, 2));

bar = foo1 ^ 0x12345678;
bah = (foo2 + foo3) & 0xFFFF;

if  ( bar == 0xDEADBEEF && bah > 0x1234 ) {
#do a barrel roll

On Sat, May 24, 2014 at 1:42 AM, Vern Paxson <vern@icir.org> wrote:
> Bitwise operations on user defined stream fields for custom protocol

Okay, these examples make sense to me.  Let me ask then about what such
operators should look like.  M K originally sketched them as operating on
integral types.  However, I'd think that if it's for manipulating blobs
of C&C, then instead working on strings would be the right target ... ?