[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection
Seth Hall
seth at icir.org
Tue Mar 20 12:39:01 UTC 2012
On Mar 20, 2012, at 5:05 AM, Victor Julien wrote:
> On 03/19/2012 07:14 PM, Martin Holste wrote:
>> How about a dev utility that converts Wireshark modules into
>> preprocessors suitable for Suricata?
>
> I think this would be a very significant effort due to the differences
> between the code bases, the libraries used, etc.
We have a BinPAC parser for DNS. When the parser is "compiled" by BinPAC it just outputs C++ code for parsing DNS.
Here's the source for the parser:
http://git.bro-ids.org/bro.git/blob/HEAD:/src/dns-protocol.pac
Here's the output C++:
https://gist.github.com/2134712
Here's the file that uses the parser (as an example of how to work with BinPAC parsers):
http://git.bro-ids.org/bro.git/blob/HEAD:/src/DNS-binpac.cc
Unfortunately now that I play with it for a minute, I see that we need to do a bit more work to separate the parser from Bro (it's intended to not depend on Bro at all). If I have a chance, I'll look into doing that soon.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Oisf-devel
mailing list