<div dir="ltr">You're welcome! I just pushed another feature/dhcp-v3 branch to the repo. This fixes a race condition that can occur (mostly in with running with -r file.pcap mode when running with multiple packet processing threads. If the request/response got processed out of order the src_ip and dest_ip wound up with 0.0.0.0 255.255.255.255 respectively which I didn't like. So I arranges things so that the ip address pair from the response is always used in the log output which is more meaningful and leads to less confusion.<div><br>If you have suggestions for improvements or additional functionality in the DHCP code let me know and I'll look into adding it.</div><div><br></div><div>PR should happen soon.</div><div><br></div><div>Tom</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Apr 12, 2017 at 9:56 PM <a href="mailto:tidy@holonetsecurity.com">tidy@holonetsecurity.com</a> <<a href="mailto:tidy@holonetsecurity.com">tidy@holonetsecurity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Cool, Thanks Tom.<div><br></div><div></div></div><div style="word-wrap:break-word"><div>-Tidy</div></div><div style="word-wrap:break-word"><div><br><div><blockquote type="cite"><div>On Apr 12, 2017, at 11:58 PM, Tom DeCanio <<a href="mailto:decanio.tom@gmail.com" target="_blank">decanio.tom@gmail.com</a>> wrote:</div><br class="m_4494016469219580093Apple-interchange-newline"><div><div dir="ltr"><br><div>My DHCP code is here <a href="https://github.com/decanio/suricata-np/tree/feature/dhcp-v2" target="_blank">https://github.com/decanio/suricata-np/tree/feature/dhcp-v2</a> for those who are curious. Close to sending a PR for this. Comments are welcome.</div><div><br></div><div>Tom</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Apr 10, 2017 at 8:33 AM Tom DeCanio <<a href="mailto:decanio.tom@gmail.com" target="_blank">decanio.tom@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_4494016469219580093gmail_msg"><div class="m_4494016469219580093gmail_msg">We've got a DHCP implementation well underway. I need to push the most recent work to my pubic git repo.<br class="m_4494016469219580093gmail_msg"><br class="m_4494016469219580093gmail_msg"></div></div><div dir="ltr" class="m_4494016469219580093gmail_msg">Tom<br class="m_4494016469219580093gmail_msg"></div><div class="gmail_extra m_4494016469219580093gmail_msg"><br class="m_4494016469219580093gmail_msg"><div class="gmail_quote m_4494016469219580093gmail_msg">On Sun, Apr 9, 2017 at 10:16 PM, <a href="mailto:tidy@holonetsecurity.com" class="m_4494016469219580093gmail_msg" target="_blank">tidy@holonetsecurity.com</a> <span dir="ltr" class="m_4494016469219580093gmail_msg"><<a href="mailto:tidy@holonetsecurity.com" class="m_4494016469219580093gmail_msg" target="_blank">tidy@holonetsecurity.com</a>></span> wrote:<br class="m_4494016469219580093gmail_msg"><blockquote class="gmail_quote m_4494016469219580093gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jason, great and thanks very much for your detail info and will update you when I run into issue.<br class="m_4494016469219580093gmail_msg">
<br class="m_4494016469219580093gmail_msg">
-Tidy<br class="m_4494016469219580093gmail_msg">
<div class="m_4494016469219580093gmail_msg m_4494016469219580093m_-5495731012591871996HOEnZb"><div class="m_4494016469219580093gmail_msg m_4494016469219580093m_-5495731012591871996h5"><br class="m_4494016469219580093gmail_msg">
> On Apr 10, 2017, at 12:11 PM, Jason Ish <<a href="mailto:lists@ish.cx" class="m_4494016469219580093gmail_msg" target="_blank">lists@ish.cx</a>> wrote:<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> On 09/04/17 08:55 PM, <a href="mailto:tidy@holonetsecurity.com" class="m_4494016469219580093gmail_msg" target="_blank">tidy@holonetsecurity.com</a> wrote:<br class="m_4494016469219580093gmail_msg">
>> I would like to add application protocol parsing to suricata engine,<br class="m_4494016469219580093gmail_msg">
>> example: DHCP protocol. what main framework code we need to change ?<br class="m_4494016469219580093gmail_msg">
>> Thanks.<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> There is not much of a guide right now, but there are some templates and generation scripts designed to help you get started.<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> For the actual parsing of the protocol and handling protocol state, see:<br class="m_4494016469219580093gmail_msg">
> src/app-layer-template.[ch]<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> For logging application events (ie: dns, tls, etc) see:<br class="m_4494016469219580093gmail_msg">
> src/output-json-template.c<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> For performaning content inspection on buffers extracted as part of the app-layer see:<br class="m_4494016469219580093gmail_msg">
> src/detect-template-buffer.c<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> There are some scripts to handle some of the boilerplate, such as:<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> - To stub the initial app-layer for your protocol:<br class="m_4494016469219580093gmail_msg">
> ./scripts/setup-app-layer.sh DHCP<br class="m_4494016469219580093gmail_msg">
> (sorry, there is a typo in this script... edx instead of ed, so just fix that up before running)<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> - To stub out the application logging:<br class="m_4494016469219580093gmail_msg">
> ./scripts/setup-app-layer-logger.sh DHCP<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> - And to stub out detection:<br class="m_4494016469219580093gmail_msg">
> ./scripts/setup-app-layer-detect-detect.sh DHCP<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> Please note that I think the scripts may be do for some updating, so please let me know if you run into any issues.<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> As for DHCP, please note than an implementation is already under review and should show up soon.<br class="m_4494016469219580093gmail_msg">
><br class="m_4494016469219580093gmail_msg">
> Jason<br class="m_4494016469219580093gmail_msg">
> _______________________________________________<br class="m_4494016469219580093gmail_msg">
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="m_4494016469219580093gmail_msg" target="_blank">oisf-users@openinfosecfoundation.org</a><br class="m_4494016469219580093gmail_msg">
> Site: <a href="http://suricata-ids.org/" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">http://suricata-ids.org/support/</a><br class="m_4494016469219580093gmail_msg">
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="m_4494016469219580093gmail_msg">
<br class="m_4494016469219580093gmail_msg">
_______________________________________________<br class="m_4494016469219580093gmail_msg">
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="m_4494016469219580093gmail_msg" target="_blank">oisf-users@openinfosecfoundation.org</a><br class="m_4494016469219580093gmail_msg">
Site: <a href="http://suricata-ids.org/" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">http://suricata-ids.org/support/</a><br class="m_4494016469219580093gmail_msg">
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="m_4494016469219580093gmail_msg" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="m_4494016469219580093gmail_msg">
</div></div></blockquote></div><br class="m_4494016469219580093gmail_msg"></div>
</blockquote></div>
</div></blockquote></div><br></div></div></blockquote></div>