[Oisf-devel] [RFC PATCH 0/9] minimal SCTP support
Eric Leblond
eric at regit.org
Mon Feb 28 16:44:26 UTC 2011
Hi,
Here's a patchset which provides a basic SCTP support in suricata. The
keyword sctp can now be used in rules like 'udp' or 'tcp'. Port filtering
is working and a basic flow support is implemented.
The main limitation is linked with the way SCTP handle data. A SCTP packet
contains a variable number of sub elements named chunk. Chunks are typed
and userpace data is stored in DATA chunk. Thus to be able to filter on
application payload, we will have to extract all DATA chunk and test the
signature on it.
Current implementation see all chunks as the payload and the payload
matching is thus also done on chunk headers. An extended support should
at least provide:
* A keyword to match only on DATA chunk
* A dedicated reassembly algorithm
First part seems to be not trivial because it involve to only match on
a subset in the payload.
Any idea on how to implement this easily ?
Second part is clearly non trivial and a big effort will be needed to
accomplish this task.
Patchset statistics:
src/Makefile.am | 1 +
src/decode-events.h | 3 ++
src/decode-icmpv4.h | 1 +
src/decode-icmpv6.c | 1 +
src/decode-icmpv6.h | 1 +
src/decode-ipv4.c | 4 ++
src/decode-ipv6.c | 7 ++++
src/decode-sctp.c | 75 +++++++++++++++++++++++++++++++++++++++++
src/decode-sctp.h | 50 +++++++++++++++++++++++++++
src/decode.c | 2 +
src/decode.h | 20 +++++++++++
src/detect-engine-proto.c | 4 ++
src/detect-parse.c | 3 +-
src/detect.c | 48 ++++++++++++++++++++++++--
src/flow-private.h | 1 +
src/flow-util.c | 5 +++
src/flow.c | 2 +-
src/respond-reject-libnet11.c | 1 +
src/util-validate.h | 2 +
19 files changed, 225 insertions(+), 6 deletions(-)
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-devel
mailing list