[Oisf-devel] Flow inspection

עמית קליינמן a.b.kleinmann at gmail.com
Tue Feb 26 18:49:17 UTC 2013


I am piggybacking here on earlier posts by Jörg Vehlow.
It looks as I am trying to accomplish a similar task -  inspecting stream
of TCP packets that belong to a certain TCP flow
(a flow is shared between all packets with the same 5 tuple:  (protocol,
src, dst, sp, dp)).

For example:
For an HTTP session with one request there will be two messages, the
request and the response.
If there is another request in the http session it will have four messages.
(Request, response, request, response)
The order in which the messages appear is important. Together with the
payload of a message, the time of the first
frame and direction should be saved.

I am actually inspecting several such TCP flows, e.g., I need to device
each of the TCP flow into messages while
keeping the order the messages were meant to be, when they were sent.

Jörg mentioned he "hooked into the Applayer parser, managed the flags that
control the behavior of the reassembler himself
and buffered the data to be able to feed it to the applayer parser the way
it was before he hooked into"

I wonder if this is the best way to implement this mechanism on top of
Suricata. If so can someone elaborate on that please?
Is there a better alternative? Some examples can be very helpful.

Thanks in advance for any feedback,

Amit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130226/f912393a/attachment.html>


More information about the Oisf-devel mailing list