[Oisf-devel] Develop a pre-processor for a TCP based protocol
DIALLO David
diallo at et.esiea.fr
Thu Oct 30 13:48:04 UTC 2014
Hi Adrian,
Thanks for your feedback regarding to your observation (cosmetic nit).
Regards,
David DIALLO (Modbus pre-processor's author).
Le 28/10/2014 15:51, Adrian Falk a écrit :
> Thanks Victor. This is exactly what I was looking for.
>
> Following are an observation and a follow-up question.
>
> Observation: A cosmetic nit I saw when I pulled in the modbus files
> and ran Suricata. In the file app-layer-detect-proto.c add the
> following changes to fix this cosmetic nit:
> 688,689d687
> else if (pp_pe->alproto == ALPROTO_MODBUS)
> printf(" alproto: ALPROTO_MODBUS\n");
> 739,740d736
> else if (pp_pe->alproto == ALPROTO_MODBUS)
> printf(" alproto: ALPROTO_MODBUS\n");
>
>
> Follow-up question: Is there a file that you can point me to that
> performs packet reassembly at L7.
>
> Thanks.
>
> On Fri, Oct 3, 2014 at 3:03 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> On 09/29/2014 05:01 PM, Adrian Falk wrote:
> > I am thinking about how to develop a Suricata pre-processor for
> a TCP
> > based L7 protocol. I have looked at the Suricata source code and
> have
> > also
> > reviewed
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module
>
> For this case, you'll need to use the app layer api instead.
> Sadly, it's
> not documented yet.
>
> > I have the following questions:
> >
> > 1. Adding code as per the above document will allow me to add new
> > keywords as well as allow me to perform protocol packet boilerplate
> > checks (len, checksum, etc). Correct?
> >
> > 2. How would I add support for protocol detection?
> >
> > 3. How would I add stateful packet processing for the L7 protocol?
> >
>
> I would like to suggest having a look at this work
> https://github.com/inliniac/suricata/pull/1134
>
> It does all that you ask for modbus.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list:
> oisf-devel at openinfosecfoundation.org
> <mailto:oisf-devel at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20141030/e8043b52/attachment-0002.html>
More information about the Oisf-devel
mailing list