[Oisf-devel] Some questions about module development

[Victor Julien]

On 02/01/2013 03:30 PM, Jörg Vehlow wrote:
> What I'm trying to do is to devide the stream into messages. A message
> is a continous part of the stream (stream means bidrectional stream
> here) in one direction.
> For an HTTP session with one request there will be two messages, the
> request and the response.
> If there is another request in the http session it will have four
> messages. (Request, response, request, response)
> The order in which the messages appear is important. Together with the
> payloadof a message, the time of the first frame and direction should be
> saved.
> 
> Something like:
> struct Message {
>     char* data;
>     uint length;
>     int direction;
> 
>     Message * next;
> }
> 
> The benefit of this representation of the stream is that you can do
> statistical matches on the length of the individual messages or the time
> between two messsages. I hope to be able to detect some malware c'n'c
> traffic with this. Often you have limited message lengths or somewhat
> fixed intervals between messages.
> 
> The rules to devide a bidirectional tcp stream into messages are as follows:
>  - begin of stream -> create new message
>  - change of transmission direction -> create new message
>  - timeout after last received packet (say if no packet receives within
> 2 seconds) -> create new message
> 
> 
> The only thing I need at the moment is the pakets of a tcp stream in the
> correct order. This essentially what the reassembler should to I think...

I think that if you're interested in HTTP only, the best way to achieve
this would be to hook into the app-layer-htp entry functions. You can
then use the parser's knowledge of when one request ends and the next
starts (in case of request pipelining).

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------