[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection
Victor Julien
victor at inliniac.net
Tue Mar 20 13:20:51 UTC 2012
On 03/20/2012 01:39 PM, Seth Hall wrote:
>
> On Mar 20, 2012, at 5:05 AM, Victor Julien wrote:
>
>> On 03/19/2012 07:14 PM, Martin Holste wrote:
>>> How about a dev utility that converts Wireshark modules into
>>> preprocessors suitable for Suricata?
>>
>> I think this would be a very significant effort due to the differences
>> between the code bases, the libraries used, etc.
>
> We have a BinPAC parser for DNS. When the parser is "compiled" by BinPAC it just outputs C++ code for parsing DNS.
>
> Here's the source for the parser:
> http://git.bro-ids.org/bro.git/blob/HEAD:/src/dns-protocol.pac
>
> Here's the output C++:
> https://gist.github.com/2134712
>
> Here's the file that uses the parser (as an example of how to work with BinPAC parsers):
> http://git.bro-ids.org/bro.git/blob/HEAD:/src/DNS-binpac.cc
>
> Unfortunately now that I play with it for a minute, I see that we need to do a bit more work to separate the parser from Bro (it's intended to not depend on Bro at all). If I have a chance, I'll look into doing that soon.
Thanks Seth.
Still need to experiment with how integration of binpac's C++ output
would work. Wonder if it would be hard to modify binpac to output C99
code? Any idea? Never looked at the code yet.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list