[Oisf-devel] Adding a Custom Action to Suricata

Victor Julien victor at inliniac.net
Thu Feb 25 08:09:13 UTC 2016 

(back to the list)

On 24-02-16 09:56, Mário Costa wrote:
> Hi Victor,
> 
> I want to perform application layer protocol signature, matching, but
> in the scenario I'm the endpoint, and it may require several, client
> server message exchange to identify the protocol.

Suricata won't be able to act as an endpoint itself.

Have you tried using the rule language to identify a protocol? Using
patterns, regex and/or lua script in combination with flowbits/flowints
you should be able to get a long way.

Do you have a specific protocol in mind?

Cheers,
Victor


> On Tue, Feb 23, 2016 at 12:23 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 23-02-16 00:16, Mário Costa wrote:
>>> I wanted to, add a set of rules (signature), when the signature is
>>> detected start start a server (e.g http, or other), with a protocol
>>> state machine, to communicate with an incoming connection. Similar to
>>> what Haka says it does, but at the tcp layer.
>>
>> What kind of interaction are you seeking with a connection? In general
>> Suricata won't be able to start a server, although using the lua
>> scripting you can do many including start external processes if you'd
>> want. Not sure if that is wise though :)
>>
>> Cheers,
>> Victor
>>
>>> Still not sure if Suricata is the best tool for that ...
>>>
>>> PS:
>>> This page is missing
>>> (https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Output_Plugins?parent=Suricata_Developers_Guide),
>>> is referenced in other plugins
>>>
>>> Thanks,
>>> mc
>>>
>>> On Mon, Feb 22, 2016 at 10:46 PM, Andreas Herz <andi at geekosphere.org> wrote:
>>>> On 22/02/16 at 22:43, Mário Costa wrote:
>>>>> I wanted to add a custom action to suricata, is there any Dev Guide, I
>>>>> could use the help on that ?
>>>>
>>>> Would you like to share with us what you have in mind?
>>>>
>>>> But this is our guide:
>>>>
>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide
>>>>
>>>> --
>>>> Andreas Herz
>>>> _______________________________________________
>>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>> Redmine: https://redmine.openinfosecfoundation.org/
>>>> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
>>> _______________________________________________
>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> Redmine: https://redmine.openinfosecfoundation.org/
>>> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list