[Oisf-devel] Signature matching and app-layer reassembly
Jason Ish
lists at unx.ca
Wed Apr 29 16:02:43 UTC 2015
On Tue, Apr 28, 2015 at 11:19 AM, Adrian Falk <adrianfalk2 at gmail.com> wrote:
> Hello,
>
> Please provide an example of how signature matching works on a app-layer
> reassembled buffer.
>
> To explain further, as part of app-layer parsing I perform app-layer
> reassembly into a buffer (referenced by the app-layer protocol transaction
> structure). However for signature matching in SigMatchSinatures() and all
> the functions it calls, it uses the "Packet" data structure to get payload
> and payload_len.
>
> Is there an example of app-layer reassembly and how signatures (especially
> payload inspection) is applied against a reassembled buffer instead of
> buffer referenced by p->payload? I don't want to use a brand-new keyword to
> implement this.
I believe you will require a new keyword, and associated code to point
DetectEngineContentInspection at the right buffer. For examples, you
could look at the dnsquery keyword, or the dnp3_data keyword in my
dnp3_branch, specifically this commit:
https://github.com/jasonish/suricata/commit/9f47ae0ffaf490958c6fbb4921951f3ad523a44a
Which likely contains more than required - specifically look at
detect-dnp3-data.c (for keyword setup) and detect-engine-dnp3-data.c
(for doing the match).
I'm sure Victor will jump in if I'm wrong about not requiring a new
keyword. I do think a simpler template would be useful as an example
here.
Hope that helps,
Jason
More information about the Oisf-devel
mailing list