[Oisf-devel] Develop a pre-processor for a TCP based protocol

Victor Julien victor at inliniac.net
Fri Oct 3 07:03:45 UTC 2014

On 09/29/2014 05:01 PM, Adrian Falk wrote:
> I am thinking about how to develop a Suricata pre-processor for a TCP
> based L7 protocol. I have looked at the Suricata source code and have
> also
> reviewed https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module 

For this case, you'll need to use the app layer api instead. Sadly, it's
not documented yet.

> I have the following questions:
> 1.  Adding code as per the above document will allow me to add new
> keywords as well as allow me to perform protocol packet boilerplate
> checks (len, checksum, etc). Correct?
> 2. How would I add support for protocol detection?
> 3. How would I add stateful packet processing for the L7 protocol?

I would like to suggest having a look at this work

It does all that you ask for modbus.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list