[Oisf-devel] Application Layer & DNS

Carl Soeder csoeder at bbn.com
Mon Jan 7 18:31:15 UTC 2013



I want to add the capability for Suricata to check various fields in the
content of a DNS packet such as invalid query class, invlaid query type,
invalid response class, invlaid response type, time-to-live of cached RR
below a certain threshold, invalid label character, .


It seems the right way to do this may be to add an application layer module.
Would you agree?


I couldn't find documentation about application layer modules on the web
site. Is there any available?


It appears an application layer module is triggered by packet content. I got
this impression by looking at calls to AplProtoAdd. Is this correct? Is
there a way to trigger an application layer module based on port?



Carl Soeder

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130107/5ed07c7a/attachment.html>

More information about the Oisf-devel mailing list