Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Unknown Application Protocol Analysis

From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Wed, 6 Sep 2006 22:59:31 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi List,

I've been thinking about a problem faced when approaching an unknown traffic
flow, and think this list probably contains an expert or two in this area. 


Q. How do you run a quick one pass analysis of some proprietary application
protocol?


I know it's fairly easy to look at small subsets of traffic manually,
looking for the \x00 and slowly guess-timate where fields begin and end,
what constitute a record, what are static offsets etc, but I'm imagining a
tool that would take in a batch of traffic and work out roughly what's what,
seeing the big picture.

I'd imagine this tool would run a first check, looking for what might
constitute discrete units of information, (possibly all those bounded by
\x00).

I'd imagine this tool would then look for some of the basic layouts of TLV
protocols (which seem most common IMHO) by working out lengths of what
appear to be strings, and look for those ints before or after. Maybe even
looking for md5 or sha1 hashes that correspond to other data fields. Then
look for repeating byte patterns etc.

Once it understands the structure of a single packet, then compare it over
time with other packets between similar host, looking for which fields are
constant, which ones change randomly (signifying GUID or Message IDs) and
those that only change slightly (perhaps timing fields). This would be where
the real knowledge would lie, as assumptions made about individual packets
(eg what is really static or dynamic) could be rectified over a larger
data-set.

Then print this out in a way like:

<static header><record 1><length><Unicode content><\x88\x88\x88><record
2><length><COMPUTER_NAME><record 3><CURRENT_TIME><unknown static crud>

Producing an Ethereal protocol definition file at the end would be icing on
the cake!

I've had a look at:
[1]
http://research.microsoft.com/workshops/sysml/papers/sysml-Gopalratnam.pdf
[2] http://www.ub.utwente.nl/webdocs/ctit/1/000000ef.pdf

But can't seem to find any public code that has attempted to solve the same
problem.
Has anyone else thought about this, or know of code I should look at?

Rhys


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFE/uJT7oK/a/NHBvIRAuGFAKCZQbC8Q1B3p4tMB2Ri2drQBkKZCwCgp8fp
4dgSTYa74W/l2eGDMGmC4x4=
=RD3o
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: