[Oisf-devel] codes of app layer proto detect and register

[iswalker]

when I read the code of app layer proto detect and app layer proto register
in suricata,I think the codes of proto detect should be moved into parser
register, so we only need to care the proto pattern which to be registered,

the app layer pattern and app layer proto to be registered should be defined
in conf file,like the following(currently the init and register are hard
coded)

file app-layer-proto-pattern.conf

#Example of app-layer pattern

App-proto:http

Ip-proto:tcp

App-proto-pattern: "GET|20|"

Depth:4

Offset:0

Direction:toserver   #value like toserver,toclient



App-proto:ftp

Ip-proto:tcp

App-proto-pattern: "USER "

Depth:5

Offset:0

Direction:toserver   #value like toserver,toclient





App layer Proto line in suricata.yaml

Decode-app-layer-proto:http,ftp,ssl,smb,rpc,ssl,ssh,tns,tds,telnet,msn,icq



The app layer proto listed above shoud be registered,otherwise NOT registed

To map app layer proto name and ID,shoud  add data type in
app-layer-protos.h



typedef struct _alp_proto_conf_t{

         u_int16_t proto_id;

         char * proto_name;

}al_proto_conf_t;



al_proto_conf_t al_proto_conf[ALPROTO_MAX]= {

{ALPROTO_UNKNOWN,"unknown"},

{ALPROTO_HTTP,"http"}

………

{ ALPROTO_DCERPC_UDP,”dcerpc-udp”}

};



 so the app proto init becoms part of app layer ptoto register and proto
pattern and proto selected to be register become flexibility.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110211/e3f16253/attachment-0002.html>