[Oisf-devel] Develop a pre-processor for a TCP based protocol

DIALLO David diallo at et.esiea.fr
Thu Oct 30 13:48:04 UTC 2014


Hi Adrian,

Thanks for your feedback regarding to your observation (cosmetic nit).

Regards,
David DIALLO (Modbus pre-processor's author).

Le 28/10/2014 15:51, Adrian Falk a écrit :
> Thanks Victor. This is exactly what I was looking for. 
>
> Following are an observation and a follow-up question.
>
> Observation: A cosmetic nit I saw when I pulled in the modbus files
> and ran Suricata. In the file app-layer-detect-proto.c add the
> following changes to fix this cosmetic nit:
> 688,689d687
>         else if (pp_pe->alproto == ALPROTO_MODBUS)
>             printf("        alproto: ALPROTO_MODBUS\n");
> 739,740d736
>     else if (pp_pe->alproto == ALPROTO_MODBUS)
>         printf("        alproto: ALPROTO_MODBUS\n");
>
>
> Follow-up question: Is there a file that you can point me to that
> performs packet reassembly at L7. 
>
> Thanks.
>
> On Fri, Oct 3, 2014 at 3:03 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
>     On 09/29/2014 05:01 PM, Adrian Falk wrote:
>     > I am thinking about how to develop a Suricata pre-processor for
>     a TCP
>     > based L7 protocol. I have looked at the Suricata source code and
>     have
>     > also
>     > reviewed
>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module
>
>     For this case, you'll need to use the app layer api instead.
>     Sadly, it's
>     not documented yet.
>
>     > I have the following questions:
>     >
>     > 1.  Adding code as per the above document will allow me to add new
>     > keywords as well as allow me to perform protocol packet boilerplate
>     > checks (len, checksum, etc). Correct?
>     >
>     > 2. How would I add support for protocol detection?
>     >
>     > 3. How would I add stateful packet processing for the L7 protocol?
>     >
>
>     I would like to suggest having a look at this work
>     https://github.com/inliniac/suricata/pull/1134
>
>     It does all that you ask for modbus.
>
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
>
>     _______________________________________________
>     Suricata IDS Devel mailing list:
>     oisf-devel at openinfosecfoundation.org
>     <mailto:oisf-devel at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Participate:
>     http://suricata-ids.org/participate/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20141030/e8043b52/attachment-0002.html>


More information about the Oisf-devel mailing list