[Oisf-devel] Develop a pre-processor for a TCP based protocol
Victor Julien
victor at inliniac.net
Fri Oct 3 07:03:45 UTC 2014
On 09/29/2014 05:01 PM, Adrian Falk wrote:
> I am thinking about how to develop a Suricata pre-processor for a TCP
> based L7 protocol. I have looked at the Suricata source code and have
> also
> reviewed https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module
For this case, you'll need to use the app layer api instead. Sadly, it's
not documented yet.
> I have the following questions:
>
> 1. Adding code as per the above document will allow me to add new
> keywords as well as allow me to perform protocol packet boilerplate
> checks (len, checksum, etc). Correct?
>
> 2. How would I add support for protocol detection?
>
> 3. How would I add stateful packet processing for the L7 protocol?
>
I would like to suggest having a look at this work
https://github.com/inliniac/suricata/pull/1134
It does all that you ask for modbus.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list