<div dir="ltr">Thanks Victor. This is exactly what I was looking for. <div><br></div><div>Following are an observation and a follow-up question.<div><br></div><div>Observation: A cosmetic nit I saw when I pulled in the modbus files and ran Suricata. In the file app-layer-detect-proto.c add the following changes to fix this cosmetic nit:</div><div>688,689d687</div><div> else if (pp_pe->alproto == ALPROTO_MODBUS)</div><div> printf(" alproto: ALPROTO_MODBUS\n");</div><div>739,740d736</div><div><div> else if (pp_pe->alproto == ALPROTO_MODBUS)</div><div> printf(" alproto: ALPROTO_MODBUS\n");</div></div><div><br></div><div><br></div><div>Follow-up question: Is there a file that you can point me to that performs packet reassembly at L7. </div></div><div><br></div><div>Thanks.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 3, 2014 at 3:03 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 09/29/2014 05:01 PM, Adrian Falk wrote:<br>
> I am thinking about how to develop a Suricata pre-processor for a TCP<br>
> based L7 protocol. I have looked at the Suricata source code and have<br>
> also<br>
> reviewed <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module</a><br>
<br>
</span>For this case, you'll need to use the app layer api instead. Sadly, it's<br>
not documented yet.<br>
<span class=""><br>
> I have the following questions:<br>
><br>
> 1. Adding code as per the above document will allow me to add new<br>
> keywords as well as allow me to perform protocol packet boilerplate<br>
> checks (len, checksum, etc). Correct?<br>
><br>
> 2. How would I add support for protocol detection?<br>
><br>
> 3. How would I add stateful packet processing for the L7 protocol?<br>
><br>
<br>
</span>I would like to suggest having a look at this work<br>
<a href="https://github.com/inliniac/suricata/pull/1134" target="_blank">https://github.com/inliniac/suricata/pull/1134</a><br>
<br>
It does all that you ask for modbus.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</font></span></blockquote></div><br></div>