[Oisf-devel] Adding New Protocol Support for Suricata

[Prabhakaran Kasinathan]

Dear Developer's,

I am doing my master of science thesis at Politecnico di torino, Italy. My
thesis concentrates on developing an efficient intrusion detection system
for Wireless Sensor Networks. Basically concentrating on the protocols (* IEEE
802.15.4, 6LoWPAN *and its application level protocol *COAP(Http)* ) . I
have been trying to analyse SNORT and SURICATA ( Both doesnt support
decoding these protocols ). Found SURICATA has some better capabilities,
hence decided to work with this. But to start with I have some problems.

Problem:

   - Currently I have an sensor node which sniff the IEEE 802.15.4 traffic
   and forward them to a virtual Interface ( TUN/TAP ).
   - I tried to run Suricata on that interface , I got the error

 8/5/2012 -- 17:02:56 - <Error> - [ERRCODE:
> SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 195 not yet
> supported in module DecodePcap
>
Question:

   - How to add support for this datalink type in DecodePcap?
   - How to develop decoder for a new protocol? // *Better to have some
   examples,tutorials.*
   - Wireshark can dissect almost all the protocols which I need. Is there
   any way we can use it for developing decoder for Suricata?

It would be a great help for me to start and contribute for this opensource
community through my thesis.
-- 
Best Regards,
Prabhakaran Kasinathan
+39 3279720502
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120514/a25ba0f2/attachment-0002.html>