[Oisf-devel] Signature matching and app-layer reassembly
Adrian Falk
adrianfalk2 at gmail.com
Thu May 14 19:43:58 UTC 2015
Thank you Jason. Using a new keyword as you suggested worked for me.
On Wed, Apr 29, 2015 at 12:02 PM, Jason Ish <lists at unx.ca> wrote:
> On Tue, Apr 28, 2015 at 11:19 AM, Adrian Falk <adrianfalk2 at gmail.com>
> wrote:
> > Hello,
> >
> > Please provide an example of how signature matching works on a app-layer
> > reassembled buffer.
> >
> > To explain further, as part of app-layer parsing I perform app-layer
> > reassembly into a buffer (referenced by the app-layer protocol
> transaction
> > structure). However for signature matching in SigMatchSinatures() and all
> > the functions it calls, it uses the "Packet" data structure to get
> payload
> > and payload_len.
> >
> > Is there an example of app-layer reassembly and how signatures
> (especially
> > payload inspection) is applied against a reassembled buffer instead of
> > buffer referenced by p->payload? I don't want to use a brand-new keyword
> to
> > implement this.
>
> I believe you will require a new keyword, and associated code to point
> DetectEngineContentInspection at the right buffer. For examples, you
> could look at the dnsquery keyword, or the dnp3_data keyword in my
> dnp3_branch, specifically this commit:
>
> https://github.com/jasonish/suricata/commit/9f47ae0ffaf490958c6fbb4921951f3ad523a44a
>
> Which likely contains more than required - specifically look at
> detect-dnp3-data.c (for keyword setup) and detect-engine-dnp3-data.c
> (for doing the match).
>
> I'm sure Victor will jump in if I'm wrong about not requiring a new
> keyword. I do think a simpler template would be useful as an example
> here.
>
> Hope that helps,
> Jason
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150514/1e4d975d/attachment.html>
More information about the Oisf-devel
mailing list