[Oisf-devel] Problem identifying direction correctly for app-layer preprocessor
Anoop Saldanha
anoopsaldanha at gmail.com
Sun Dec 28 16:33:19 UTC 2014
On Sun, Dec 28, 2014 at 12:30 AM, Adrian Falk <adrianfalk2 at gmail.com> wrote:
> I'm working on an app-layer preprocessor for a TCP-based protocol, modeled
> after Modbus.
>
> While running different traffic through my app-layer preprocessor I notice
> while replaying certain capture files the protocol packets identified are in
> the wrong direction (a to-server packet is identified as a to-client
> packet). I have also noticed that for certain other capture files the
> preprocessor doesn't successfully identify any protocol packets although
> such packets are present.
>
> I'm running Suricata as follows:
> suricata -c /etc/suricata.yaml -r protocol.pcap
>
> I'm using suricata.2.0.4 with mostly default settings except I'm running
> with 'midstream equal to true'.
>
> What function in RegisterXParsers() ensures that the protocol packets are
> identified successfully and in the correct direction?
>
If you are picking the flow up midstream, there is no way atm to
reverse the direction, if the stream layer sees the wrong direction
first. That's something that needs to be implemented along with
picking the statrt offset for the next full/new app layer record, in
the stream, so that the app layer parser can initiate parsing from
that offset.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list