[Oisf-devel] [RFC PATCH 0/9] minimal SCTP support

Victor Julien victor at inliniac.net
Sat Mar 5 10:09:06 UTC 2011 

I've applied this with one modification: I've reduced the
SCTP_HEADER_LEN to 12.

Thanks a lot Eric!

Cheers,
Victor

On 02/28/2011 05:44 PM, Eric Leblond wrote:
> Hi,
> 
> Here's a patchset which provides a basic SCTP support in suricata. The
> keyword sctp can now be used in rules like 'udp' or 'tcp'. Port filtering
> is working and a basic flow support is implemented.
> 
> The main limitation is linked with the way SCTP handle data. A SCTP packet
> contains a variable number of sub elements named chunk. Chunks are typed
> and userpace data is stored in DATA chunk. Thus to be able to filter on
> application payload, we will have to extract all DATA chunk and test the
> signature on it.
> 
> Current implementation see all chunks as the payload and the payload
> matching is thus also done on chunk headers. An extended support should
> at least provide:
>  * A keyword to match only on DATA chunk
>  * A dedicated reassembly algorithm
> First part seems to be not trivial because it involve to only match on
> a subset in the payload.
> 
> Any idea on how to implement this easily ?
> 
> Second part is clearly non trivial and a big effort will be needed to
> accomplish this task.
> 
> Patchset statistics:
>  src/Makefile.am               |    1 +
>  src/decode-events.h           |    3 ++
>  src/decode-icmpv4.h           |    1 +
>  src/decode-icmpv6.c           |    1 +
>  src/decode-icmpv6.h           |    1 +
>  src/decode-ipv4.c             |    4 ++
>  src/decode-ipv6.c             |    7 ++++
>  src/decode-sctp.c             |   75 +++++++++++++++++++++++++++++++++++++++++
>  src/decode-sctp.h             |   50 +++++++++++++++++++++++++++
>  src/decode.c                  |    2 +
>  src/decode.h                  |   20 +++++++++++
>  src/detect-engine-proto.c     |    4 ++
>  src/detect-parse.c            |    3 +-
>  src/detect.c                  |   48 ++++++++++++++++++++++++--
>  src/flow-private.h            |    1 +
>  src/flow-util.c               |    5 +++
>  src/flow.c                    |    2 +-
>  src/respond-reject-libnet11.c |    1 +
>  src/util-validate.h           |    2 +
>  19 files changed, 225 insertions(+), 6 deletions(-)
> 
> BR,
> --
> Eric Leblond <eric at regit.org>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list