[Oisf-devel] Signature matching and app-layer reassembly

Adrian Falk adrianfalk2 at gmail.com
Tue Apr 28 17:19:44 UTC 2015


Please provide an example of how signature matching works on a app-layer
reassembled buffer.

To explain further, as part of app-layer parsing I perform app-layer
reassembly into a buffer (referenced by the app-layer protocol transaction
structure). However for signature matching in SigMatchSinatures() and all
the functions it calls, it uses the "Packet" data structure to get payload
and payload_len.

Is there an example of app-layer reassembly and how signatures (especially
payload inspection) is applied against a reassembled buffer instead of
buffer referenced by p->payload? I don't want to use a brand-new keyword to
implement this.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150428/ef2c1a4d/attachment.html>

More information about the Oisf-devel mailing list