[Oisf-devel] Suricata extension for layer 2 attacks

[Victor Julien]

Hi Awais,

On 06-03-2020 16:36, Awais Ali wrote:
> I am master student working in intrusion detection domain, now a days I
> am working on possible extension of Suricata for layer 2 attacks. 
> 
>  I want to detect attacks in special layer 2 protocols like Goose, CDPetc.
> 
> If I want to detect the attacks in the payload of the Goose protocol
> then there is no such solution since Suricata detects payload of layer 3
> and above.
> There are many such special protocols in in layer 2 where if you want to
> detect regular expressions/content in the payload then there is no such
> solution.
> 
> I want to extend suricata in this domain by writing decoders of that
> particular protocol the way we have for other protocols like tcp/udp
> above layer 3.
> I need to know how i can extend Suricata for layer 2?
> 
> I hope you will cooperate in this regard. I am looking forward to
> hearing from you.

Adding new decoder is relatively easy. There is a script to help you get
started from a template:

see: https://github.com/OISF/suricata/blob/master/scripts/setup-decoder.sh

Detection will be a bit more tricky, as the detection engine is mostly
built around L3+. The simplest way would be to add your detection to the
actual decoder, and set events from the decoder. The detection engine
can then match on that. The anomaly logger can log those events too.

If you want more advanced detection logic in the detection engine
itself, it will be more work. I'd be happy to work with you on that.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------