[Oisf-devel] codes of app layer proto detect and register
Victor Julien
victor at inliniac.net
Sun Feb 13 15:28:41 UTC 2011
On 02/10/2011 10:41 PM, iswalker wrote:
> when I read the code of app layer proto detect and app layer proto register
> in suricata,I think the codes of proto detect should be moved into parser
> register, so we only need to care the proto pattern which to be registered,
>
> the app layer pattern and app layer proto to be registered should be defined
> in conf file,like the following(currently the init and register are hard
> coded)
>
> file app-layer-proto-pattern.conf
>
> #Example of app-layer pattern
>
> App-proto:http
>
> Ip-proto:tcp
>
> App-proto-pattern: "GET|20|"
>
> Depth:4
>
> Offset:0
>
> Direction:toserver #value like toserver,toclient
>
>
>
> App-proto:ftp
>
> Ip-proto:tcp
>
> App-proto-pattern: "USER "
>
> Depth:5
>
> Offset:0
>
> Direction:toserver #value like toserver,toclient
>
>
>
>
>
> App layer Proto line in suricata.yaml
>
> Decode-app-layer-proto:http,ftp,ssl,smb,rpc,ssl,ssh,tns,tds,telnet,msn,icq
>
>
>
> The app layer proto listed above shoud be registered,otherwise NOT registed
>
> To map app layer proto name and ID,shoud add data type in
> app-layer-protos.h
>
>
>
> typedef struct _alp_proto_conf_t{
>
> u_int16_t proto_id;
>
> char * proto_name;
>
> }al_proto_conf_t;
>
>
>
> al_proto_conf_t al_proto_conf[ALPROTO_MAX]= {
>
> {ALPROTO_UNKNOWN,"unknown"},
>
> {ALPROTO_HTTP,"http"}
>
> ………
>
> { ALPROTO_DCERPC_UDP,”dcerpc-udp”}
>
> };
>
>
>
> so the app proto init becoms part of app layer ptoto register and proto
> pattern and proto selected to be register become flexibility.
I like this idea. I think it wouldn't be hard to implement. That said,
it's not top priority. Are you interested in taking this up?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list