[Oisf-devel] Oisf-devel Digest, Vol 29, Issue 16
Victor Julien
victor at inliniac.net
Thu Jul 5 10:55:45 UTC 2012
On 07/05/2012 12:52 PM, Prabhakaran Kasinathan wrote:
> Dear Developer's,
>
> Thank you for your support (Victor Julien) ! It has taken some time for
> me to analyze, going back to C lang books... and work with the protocol
> decoder, since I am very new to this kind of big software.
>
> I tried to change something in source-pcap.c and checked whether it
> works when i compile and run the program.
>
> Steps followed:
>
> 1. I created a new file for my protocol and imitated the steps followed
> in other's like /decode-ethernet.c/
> 2. Added a case/ switch (p->datalink)/ for my protocol decode function.
> These are basic steps to try and understand what works when i change
> something.
>
> Output:
>
> 1. Through a small change in print line , i found my changes are
> working and I am following the correct path.
>
>
> Noob Questions; (sorry for this, but need some help)
>
> 1. Will the compiler by default compile my new file? or I should add
> manually somewhere in the configure file to make that fit into the
> system built.
You will have to add the file to src/Makefile.am
> 2. How to test the unit test functions written at the end of each
> protocol's decoder file's.?
Configure with --enable-unittests and then run Suricata as follows:
suricata -u
> 3. Can we use *eclipse *or any other IDE for debugging and to check
> step by step process to check what happens next? ,since it links
> almost all functions and very difficult to follow what happens next
> by following all the pointer's. If so how to do it? or What you
> people are using for development?
I think you should read up on gdb :)
Cheers,
Victor
>
>
> On Tue, May 15, 2012 at 6:00 PM,
> <oisf-devel-request at openinfosecfoundation.org
> <mailto:oisf-devel-request at openinfosecfoundation.org>> wrote:
>
> Send Oisf-devel mailing list submissions to
> oisf-devel at openinfosecfoundation.org
> <mailto:oisf-devel at openinfosecfoundation.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> or, via email, send a message with subject or body 'help' to
> oisf-devel-request at openinfosecfoundation.org
> <mailto:oisf-devel-request at openinfosecfoundation.org>
>
> You can reach the person managing the list at
> oisf-devel-owner at openinfosecfoundation.org
> <mailto:oisf-devel-owner at openinfosecfoundation.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: Adding New Protocol Support for Suricata (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 May 2012 13:30:06 +0200
> From: Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
> Subject: Re: [Oisf-devel] Adding New Protocol Support for Suricata
> To: oisf-devel at openinfosecfoundation.org
> <mailto:oisf-devel at openinfosecfoundation.org>
> Message-ID: <4FB23E3E.3090407 at inliniac.net
> <mailto:4FB23E3E.3090407 at inliniac.net>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 05/14/2012 12:01 PM, Prabhakaran Kasinathan wrote:
> > Dear Developer's,
> >
> > I am doing my master of science thesis at Politecnico di torino,
> Italy.
> > My thesis concentrates on developing an efficient intrusion detection
> > system for Wireless Sensor Networks. Basically concentrating on the
> > protocols (* IEEE 802.15.4, 6LoWPAN *and its application level
> > protocol *COAP(Http)* ) . I have been trying to analyse SNORT and
> > SURICATA ( Both doesnt support decoding these protocols ). Found
> > SURICATA has some better capabilities, hence decided to work with
> this.
> > But to start with I have some problems.
> >
> > Problem:
> >
> > * Currently I have an sensor node which sniff the IEEE 802.15.4
> > traffic and forward them to a virtual Interface ( TUN/TAP ).
> > * I tried to run Suricata on that interface , I got the error
> >
> > 8/5/2012 -- 17:02:56 - <Error> - [ERRCODE:
> > SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 195 not
> > yet supported in module DecodePcap
> >
> > Question:
> >
> > * How to add support for this datalink type in DecodePcap?
>
> Check the DecodePcap function in source-pcap.c. Currently Linux SLL,
> Ethernet, Raw and PPP are supported there.
>
> > * How to develop decoder for a new protocol? // /Better to have some
> > examples,tutorials./
>
> I agree that would be useful. Until we have that, please have a look at
> a decoder like the one for ethernet in decode-ethernet.c
>
> > * Wireshark can dissect almost all the protocols which I need. Is
> > there any way we can use it for developing decoder for Suricata?
>
> Only as a reference. There is no way to directly use it in Suricata.
>
> > It would be a great help for me to start and contribute for this
> > opensource community through my thesis.
>
> I agree that would be nice! Feel free to ask more questions, thats what
> this list if for!
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> <mailto:Oisf-devel at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> End of Oisf-devel Digest, Vol 29, Issue 16
> ******************************************
>
>
>
>
> --
> Best Regards,
> Prabhakaran Kasinathan
> +39 3279720502
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list