<div dir="ltr"><br><div>My DHCP code is here <a href="https://github.com/decanio/suricata-np/tree/feature/dhcp-v2">https://github.com/decanio/suricata-np/tree/feature/dhcp-v2</a> for those who are curious.  Close to sending a PR for this.  Comments are welcome.</div><div><br></div><div>Tom</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Apr 10, 2017 at 8:33 AM Tom DeCanio <<a href="mailto:decanio.tom@gmail.com">decanio.tom@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg"><div class="gmail_msg">We've got a DHCP implementation well underway.  I need to push the most recent work to my pubic git repo.<br class="gmail_msg"><br class="gmail_msg"></div></div><div dir="ltr" class="gmail_msg">Tom<br class="gmail_msg"></div><div class="gmail_extra gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg">On Sun, Apr 9, 2017 at 10:16 PM, <a href="mailto:tidy@holonetsecurity.com" class="gmail_msg" target="_blank">tidy@holonetsecurity.com</a> <span dir="ltr" class="gmail_msg"><<a href="mailto:tidy@holonetsecurity.com" class="gmail_msg" target="_blank">tidy@holonetsecurity.com</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jason, great and thanks very much for your detail info and will update you when I run into issue.<br class="gmail_msg">
<br class="gmail_msg">
-Tidy<br class="gmail_msg">
<div class="m_-5495731012591871996HOEnZb gmail_msg"><div class="m_-5495731012591871996h5 gmail_msg"><br class="gmail_msg">
> On Apr 10, 2017, at 12:11 PM, Jason Ish <<a href="mailto:lists@ish.cx" class="gmail_msg" target="_blank">lists@ish.cx</a>> wrote:<br class="gmail_msg">
><br class="gmail_msg">
> On 09/04/17 08:55 PM, <a href="mailto:tidy@holonetsecurity.com" class="gmail_msg" target="_blank">tidy@holonetsecurity.com</a> wrote:<br class="gmail_msg">
>> I would like to add application protocol parsing to suricata engine,<br class="gmail_msg">
>> example: DHCP protocol. what main framework code we need to change ?<br class="gmail_msg">
>> Thanks.<br class="gmail_msg">
><br class="gmail_msg">
> There is not much of a guide right now, but there are some templates and generation scripts designed to help you get started.<br class="gmail_msg">
><br class="gmail_msg">
> For the actual parsing of the protocol and handling protocol state, see:<br class="gmail_msg">
> src/app-layer-template.[ch]<br class="gmail_msg">
><br class="gmail_msg">
> For logging application events (ie: dns, tls, etc) see:<br class="gmail_msg">
> src/output-json-template.c<br class="gmail_msg">
><br class="gmail_msg">
> For performaning content inspection on buffers extracted as part of the app-layer see:<br class="gmail_msg">
> src/detect-template-buffer.c<br class="gmail_msg">
><br class="gmail_msg">
> There are some scripts to handle some of the boilerplate, such as:<br class="gmail_msg">
><br class="gmail_msg">
> - To stub the initial app-layer for your protocol:<br class="gmail_msg">
>  ./scripts/setup-app-layer.sh DHCP<br class="gmail_msg">
> (sorry, there is a typo in this script...  edx instead of ed, so just fix that up before running)<br class="gmail_msg">
><br class="gmail_msg">
> - To stub out the application logging:<br class="gmail_msg">
>  ./scripts/setup-app-layer-logger.sh DHCP<br class="gmail_msg">
><br class="gmail_msg">
> - And to stub out detection:<br class="gmail_msg">
>  ./scripts/setup-app-layer-detect-detect.sh DHCP<br class="gmail_msg">
><br class="gmail_msg">
> Please note that I think the scripts may be do for some updating, so please let me know if you run into any issues.<br class="gmail_msg">
><br class="gmail_msg">
> As for DHCP, please note than an implementation is already under review and should show up soon.<br class="gmail_msg">
><br class="gmail_msg">
> Jason<br class="gmail_msg">
> _______________________________________________<br class="gmail_msg">
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="gmail_msg" target="_blank">oisf-users@openinfosecfoundation.org</a><br class="gmail_msg">
> Site: <a href="http://suricata-ids.org" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org/support/</a><br class="gmail_msg">
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="gmail_msg" target="_blank">oisf-users@openinfosecfoundation.org</a><br class="gmail_msg">
Site: <a href="http://suricata-ids.org" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org/support/</a><br class="gmail_msg">
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="gmail_msg">
</div></div></blockquote></div><br class="gmail_msg"></div>
</blockquote></div>