[Oisf-devel] Oisf-devel Digest, Vol 29, Issue 16

Prabhakaran Kasinathan prabhakaran1989 at gmail.com
Thu Jul 5 10:52:08 UTC 2012


Dear Developer's,

Thank you for your support (Victor Julien) ! It has taken some time for me
to analyze, going back to C lang books... and work with the protocol
decoder, since I am very new to this kind of big software.

I tried to change something in source-pcap.c and checked whether it works
when i compile and run the program.

Steps followed:

   1. I created a new file for my protocol and imitated the steps followed
   in other's like *decode-ethernet.c*
   2. Added a case* switch (p->datalink)* for my protocol decode function.
   These are basic steps to try and understand what works when i change
   something.

Output:

   1. Through a small change in print line , i found my changes are working
   and I am following the correct path.


Noob Questions; (sorry for this, but need some help)

   1. Will the compiler by default compile my new file? or I should add
   manually somewhere in the configure file to make that fit into the system
   built.
   2. How to test the unit test functions written at the end of each
   protocol's decoder file's.?
   3. Can we use *eclipse *or any other IDE for debugging and to check step
   by step process to check what happens next? ,since it links almost all
   functions and very difficult to follow what happens next by following all
   the pointer's. If so how to do it? or What you people are using for
   development?


On Tue, May 15, 2012 at 6:00 PM, <
oisf-devel-request at openinfosecfoundation.org> wrote:

> Send Oisf-devel mailing list submissions to
>         oisf-devel at openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> or, via email, send a message with subject or body 'help' to
>         oisf-devel-request at openinfosecfoundation.org
>
> You can reach the person managing the list at
>         oisf-devel-owner at openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: Adding New Protocol Support for Suricata (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 May 2012 13:30:06 +0200
> From: Victor Julien <victor at inliniac.net>
> Subject: Re: [Oisf-devel] Adding New Protocol Support for Suricata
> To: oisf-devel at openinfosecfoundation.org
> Message-ID: <4FB23E3E.3090407 at inliniac.net>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 05/14/2012 12:01 PM, Prabhakaran Kasinathan wrote:
> > Dear Developer's,
> >
> > I am doing my master of science thesis at Politecnico di torino, Italy.
> > My thesis concentrates on developing an efficient intrusion detection
> > system for Wireless Sensor Networks. Basically concentrating on the
> > protocols (* IEEE 802.15.4, 6LoWPAN *and its application level
> > protocol *COAP(Http)* ) . I have been trying to analyse SNORT and
> > SURICATA ( Both doesnt support decoding these protocols ). Found
> > SURICATA has some better capabilities, hence decided to work with this.
> > But to start with I have some problems.
> >
> > Problem:
> >
> >   * Currently I have an sensor node which sniff the IEEE 802.15.4
> >     traffic and forward them to a virtual Interface ( TUN/TAP ).
> >   * I tried to run Suricata on that interface , I got the error
> >
> >     8/5/2012 -- 17:02:56 - <Error> - [ERRCODE:
> >     SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 195 not
> >     yet supported in module DecodePcap
> >
> > Question:
> >
> >   * How to add support for this datalink type in DecodePcap?
>
> Check the DecodePcap function in source-pcap.c. Currently Linux SLL,
> Ethernet, Raw and PPP are supported there.
>
> >   * How to develop decoder for a new protocol? // /Better to have some
> >     examples,tutorials./
>
> I agree that would be useful. Until we have that, please have a look at
> a decoder like the one for ethernet in decode-ethernet.c
>
> >   * Wireshark can dissect almost all the protocols which I need. Is
> >     there any way we can use it for developing decoder for Suricata?
>
> Only as a reference. There is no way to directly use it in Suricata.
>
> > It would be a great help for me to start and contribute for this
> > opensource community through my thesis.
>
> I agree that would be nice! Feel free to ask more questions, thats what
> this list if for!
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> End of Oisf-devel Digest, Vol 29, Issue 16
> ******************************************
>



-- 
Best Regards,
Prabhakaran Kasinathan
+39 3279720502
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120705/3ac61d6f/attachment-0002.html>


More information about the Oisf-devel mailing list