[Oisf-devel] Going to Open Source and plugins
Vasily A. Sartakov
sartakov at ksyslabs.org
Wed Oct 22 13:33:16 UTC 2014
> 22 окт. 2014 г., в 16:49, Victor Julien <victor at inliniac.net> написал(а):
>
> On 09/18/2014 09:30 AM, Sartakov A. Vasily wrote:
>>>> The second question is about plugins support. There is functionality in snort that are need for us. We have to control association of MAC and IP provided by rules. As far I understand, that functionality provided via plugin in Snort. Can you advise right approach for obtaining the same functional in Suricata? What is the best place in sources to «hook», or, maybe, there are plugin engine already under construction?
>>>>
>>>> We don't currently have a dynamic plugin API. The various keywords are
>>>> implemented in a modular way though.
>>
>> So, as I understand, we have to implement this functionality from scratch. Can you give advice? We have to register new keyword, right, and add MAC address processing somewhere?
>
> I would suggest having a look at some of the current detection modules.
> A simple one would be the 'itype' module, which matches against icmp
> 'type' fields.
>
> detection: detect-itype.c
> packet decoding: decode-icmpv4.c
Thank you. We have implemented like detect-id.c, i.e. we have added new keyword to IP header rule:
alert ip 192.168.220.227 any -> any any (msg:"wrong hw addr"; eth_src:00:0c:29:43:2a:ef; sid:2000000000;rev:12;)
Not the best solution, but enough for experiments.
--
Vasily A. Sartakov
sartakov at ksyslabs.org
More information about the Oisf-devel
mailing list