[Oisf-devel] Develop a pre-processor for a TCP based protocol
Adrian Falk
adrianfalk2 at gmail.com
Tue Oct 28 14:51:43 UTC 2014
Thanks Victor. This is exactly what I was looking for.
Following are an observation and a follow-up question.
Observation: A cosmetic nit I saw when I pulled in the modbus files and ran
Suricata. In the file app-layer-detect-proto.c add the following changes to
fix this cosmetic nit:
688,689d687
else if (pp_pe->alproto == ALPROTO_MODBUS)
printf(" alproto: ALPROTO_MODBUS\n");
739,740d736
else if (pp_pe->alproto == ALPROTO_MODBUS)
printf(" alproto: ALPROTO_MODBUS\n");
Follow-up question: Is there a file that you can point me to that performs
packet reassembly at L7.
Thanks.
On Fri, Oct 3, 2014 at 3:03 AM, Victor Julien <victor at inliniac.net> wrote:
> On 09/29/2014 05:01 PM, Adrian Falk wrote:
> > I am thinking about how to develop a Suricata pre-processor for a TCP
> > based L7 protocol. I have looked at the Suricata source code and have
> > also
> > reviewed
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module
>
> For this case, you'll need to use the app layer api instead. Sadly, it's
> not documented yet.
>
> > I have the following questions:
> >
> > 1. Adding code as per the above document will allow me to add new
> > keywords as well as allow me to perform protocol packet boilerplate
> > checks (len, checksum, etc). Correct?
> >
> > 2. How would I add support for protocol detection?
> >
> > 3. How would I add stateful packet processing for the L7 protocol?
> >
>
> I would like to suggest having a look at this work
> https://github.com/inliniac/suricata/pull/1134
>
> It does all that you ask for modbus.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20141028/01e17c0a/attachment-0002.html>
More information about the Oisf-devel
mailing list