[Oisf-devel] Adding New Protocol Support for Suricata
Victor Julien
victor at inliniac.net
Tue May 15 11:30:06 UTC 2012
On 05/14/2012 12:01 PM, Prabhakaran Kasinathan wrote:
> Dear Developer's,
>
> I am doing my master of science thesis at Politecnico di torino, Italy.
> My thesis concentrates on developing an efficient intrusion detection
> system for Wireless Sensor Networks. Basically concentrating on the
> protocols (* IEEE 802.15.4, 6LoWPAN *and its application level
> protocol *COAP(Http)* ) . I have been trying to analyse SNORT and
> SURICATA ( Both doesnt support decoding these protocols ). Found
> SURICATA has some better capabilities, hence decided to work with this.
> But to start with I have some problems.
>
> Problem:
>
> * Currently I have an sensor node which sniff the IEEE 802.15.4
> traffic and forward them to a virtual Interface ( TUN/TAP ).
> * I tried to run Suricata on that interface , I got the error
>
> 8/5/2012 -- 17:02:56 - <Error> - [ERRCODE:
> SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 195 not
> yet supported in module DecodePcap
>
> Question:
>
> * How to add support for this datalink type in DecodePcap?
Check the DecodePcap function in source-pcap.c. Currently Linux SLL,
Ethernet, Raw and PPP are supported there.
> * How to develop decoder for a new protocol? // /Better to have some
> examples,tutorials./
I agree that would be useful. Until we have that, please have a look at
a decoder like the one for ethernet in decode-ethernet.c
> * Wireshark can dissect almost all the protocols which I need. Is
> there any way we can use it for developing decoder for Suricata?
Only as a reference. There is no way to directly use it in Suricata.
> It would be a great help for me to start and contribute for this
> opensource community through my thesis.
I agree that would be nice! Feel free to ask more questions, thats what
this list if for!
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list