Skip to content

Commit

Permalink
adding a function in dnp3-analyzer.pac to translate the time stamp fo…
Browse files Browse the repository at this point in the history 
…rmat
  • Loading branch information
Hui Lin committed Sep 26, 2014
1 parent ff61737 commit f933899
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 36 deletions.
44 changes: 32 additions & 12 deletions src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file
Expand Up @@ -4,6 +4,26 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
downflow = DNP3_Flow(false);
};

%header{
uint64 bytestring_to_time(const_bytestring time48);
%}

%code{
uint64 bytestring_to_time(const_bytestring time48)
{
/* in DNP3, time stamp is represented by 6 bytes to epoch in millisecond */
/* 6 bytes are stored following big endian format */
uint64 epochTime = 0;

for ( uint i = 0 ; i < 6; i++)
{
epochTime = time48[5-i] + epochTime * 256;
}

return epochTime;
}
%}

flow DNP3_Flow(is_orig: bool) {
flowunit = DNP3_PDU(is_orig) withcontext (connection, this);

Expand Down Expand Up @@ -222,7 +242,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_val(time48));
is_orig(), flag, count_value, bytestring_to_time(time48));
}

return true;
Expand All @@ -236,7 +256,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_val(time48));
is_orig(), flag, count_value, bytestring_to_time(time48));
}

return true;
Expand Down Expand Up @@ -390,7 +410,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_val(time48));
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}

return true;
Expand All @@ -404,7 +424,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_val(time48));
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}

return true;
Expand Down Expand Up @@ -502,7 +522,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_val(time48));
is_orig(), flag, value, bytestring_to_time(time48));
}

return true;
Expand All @@ -516,7 +536,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_val(time48));
is_orig(), flag, value, bytestring_to_time(time48));
}

return true;
Expand Down Expand Up @@ -558,7 +578,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_val(time48));
is_orig(), flag, value, bytestring_to_time(time48));
}

return true;
Expand All @@ -572,7 +592,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_val(time48));
is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
}

return true;
Expand Down Expand Up @@ -614,7 +634,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_val(time48));
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}

return true;
Expand All @@ -628,7 +648,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_val(time48));
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}

return true;
Expand Down Expand Up @@ -670,7 +690,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_val(time48));
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}

return true;
Expand All @@ -684,7 +704,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_val(time48));
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
}

return true;
Expand Down
24 changes: 12 additions & 12 deletions src/analyzer/protocol/dnp3/events.bif
View file
Expand Up @@ -130,11 +130,11 @@ event dnp3_frozen_counter_16wFlag%(c: connection, is_orig: bool, flag:count, cou

## Generated for DNP3 objects with the group number 21 and variation number 5
## frozen counter 32 bit with flag and time
event dnp3_frozen_counter_32wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
event dnp3_frozen_counter_32wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: count%);

## Generated for DNP3 objects with the group number 21 and variation number 6
## frozen counter 16 bit with flag and time
event dnp3_frozen_counter_16wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: string%);
event dnp3_frozen_counter_16wFlagTime%(c: connection, is_orig: bool, flag:count, count_value: count, time48: count%);

## Generated for DNP3 objects with the group number 21 and variation number 9
## frozen counter 32 bit without flag
Expand Down Expand Up @@ -178,11 +178,11 @@ event dnp3_frozen_analog_input_16wFlag%(c: connection, is_orig: bool, flag: coun

## Generated for DNP3 objects with the group number 31 and variation number 3
## frozen analog input 32 bit with time-of-freeze
event dnp3_frozen_analog_input_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
event dnp3_frozen_analog_input_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);

## Generated for DNP3 objects with the group number 31 and variation number 4
## frozen analog input 16 bit with time-of-freeze
event dnp3_frozen_analog_input_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
event dnp3_frozen_analog_input_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);

## Generated for DNP3 objects with the group number 31 and variation number 5
## frozen analog input 32 bit without flag
Expand Down Expand Up @@ -210,11 +210,11 @@ event dnp3_analog_input_event_16woTime%(c: connection, is_orig: bool, flag: coun

## Generated for DNP3 objects with the group number 32 and variation number 3
## analog input event 32 bit with time
event dnp3_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
event dnp3_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);

## Generated for DNP3 objects with the group number 32 and variation number 4
## analog input event 16 bit with time
event dnp3_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
event dnp3_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);

## Generated for DNP3 objects with the group number 32 and variation number 5
## analog input event single-precision float point without time
Expand All @@ -226,11 +226,11 @@ event dnp3_analog_input_event_DPwoTime%(c: connection, is_orig: bool, flag: coun

## Generated for DNP3 objects with the group number 32 and variation number 7
## analog input event single-precision float point with time
event dnp3_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, value: count, time48: string%);
event dnp3_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, value: count, time48: count%);

## Generated for DNP3 objects with the group number 32 and variation number 8
## analog input event double-precisiion float point with time
event dnp3_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string%);
event dnp3_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count%);

## Generated for DNP3 objects with the group number 33 and variation number 1
## frozen analog input event 32 bit without time
Expand All @@ -242,11 +242,11 @@ event dnp3_frozen_analog_input_event_16woTime%(c: connection, is_orig: bool, fla

## Generated for DNP3 objects with the group number 33 and variation number 3
## frozen analog input event 32 bit with time
event dnp3_frozen_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
event dnp3_frozen_analog_input_event_32wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);

## Generated for DNP3 objects with the group number 33 and variation number 4
## frozen analog input event 16 bit with time
event dnp3_frozen_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
event dnp3_frozen_analog_input_event_16wTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);

## Generated for DNP3 objects with the group number 33 and variation number 5
## frozen analog input event single-precision float point without time
Expand All @@ -258,11 +258,11 @@ event dnp3_frozen_analog_input_event_DPwoTime%(c: connection, is_orig: bool, fla

## Generated for DNP3 objects with the group number 33 and variation number 7
## frozen analog input event single-precision float point with time
event dnp3_frozen_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string%);
event dnp3_frozen_analog_input_event_SPwTime%(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count%);

## Generated for DNP3 objects with the group number 34 and variation number 8
## frozen analog input event double-precision float point with time
event dnp3_frozen_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string%);
event dnp3_frozen_analog_input_event_DPwTime%(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count%);

## g70
event dnp3_file_transport%(c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string%);
Expand Down
24 changes: 12 additions & 12 deletions testing/btest/scripts/base/protocols/dnp3/events.bro
View file
Expand Up @@ -82,12 +82,12 @@ event dnp3_frozen_counter_16wFlag(c: connection, is_orig: bool, flag:count, coun
print "dnp3_frozen_counter_16wFlag", is_orig, flag;
}

event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
{
print "dnp3_frozen_counter_32wFlagTime", is_orig, flag;
}

event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
{
print "dnp3_frozen_counter_16wFlagTime", is_orig, flag;
}
Expand Down Expand Up @@ -142,12 +142,12 @@ event dnp3_frozen_analog_input_16wFlag(c: connection, is_orig: bool, flag: count
print "dnp3_frozen_analog_input_16wFlag", is_orig, flag, frozen_value;
}

event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
{
print "dnp3_frozen_analog_input_32wTime", is_orig, flag, frozen_value, time48;
}

event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
{
print "dnp3_frozen_analog_input_16wTime", is_orig, flag, frozen_value, time48;
}
Expand Down Expand Up @@ -182,12 +182,12 @@ event dnp3_analog_input_event_16woTime(c: connection, is_orig: bool, flag: count
print "dnp3_analog_input_event_16woTime", is_orig, flag, value;
}

event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
{
print "dnp3_analog_input_event_32wTime", is_orig, flag, value, time48;
}

event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
{
print "dnp3_analog_input_event_16wTime", is_orig, flag, value, time48;
}
Expand All @@ -202,12 +202,12 @@ event dnp3_analog_inputDP_woTime(c: connection, is_orig: bool, flag: count, valu
print "dnp3_analog_input_event_DPwoTime", is_orig, flag, value_low, value_high;
}

event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
{
print "dnp3_analog_input_event_SPwTime", is_orig, flag, value, time48;
}

event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string)
event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)
{
print "dnp3_analog_input_event_DPwTime", is_orig, flag, value_low, value_high, time48;
}
Expand All @@ -222,12 +222,12 @@ event dnp3_frozen_analog_input_event_16woTime(c: connection, is_orig: bool, flag
print "dnp3_frozen_analog_input_event_16woTime", is_orig, flag, frozen_value;
}

event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
{
print "dnp3_frozen_analog_input_event_32wTime", is_orig, flag, frozen_value, time48;
}

event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
{
print "dnp3_frozen_analog_input_event_16wTime", is_orig, flag, frozen_value, time48;
}
Expand All @@ -242,12 +242,12 @@ event dnp3_frozen_analog_input_event_DPwoTime(c: connection, is_orig: bool, flag
print "dnp3_frozen_analog_input_event_DPwoTime", is_orig, flag, frozen_value_low, frozen_value_high;
}

event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
{
print "dnp3_frozen_analog_inputeventSP_wTime", is_orig, flag, frozen_value, time48;
}

event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string)
event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)
{
print "dnp3_frozen_analog_inputeventDP_wTime", is_orig, flag, frozen_value_low, frozen_value_high, time48;
}
Expand Down

0 comments on commit f933899

Please sign in to comment.