[Oisf-devel] Need Help To Customize Packet Source of Suricata
Jason Ish
jason.ish at oisf.net
Mon Mar 9 18:53:41 UTC 2020
Hello,
On 2020-03-09 12:40 a.m., Maloy Kundu wrote:
> Hello,
>
> I have one question about changing the packet source of Suricata.
>
> Suricata receives packets from network interface by default. I need to
> have understanding or knowledge about how to modify the packet source of
> Suricata. Instead of probe interface, Suricata will receive packet from
> another process using shared memory. A process that receives packets
> from network probe interface will write packet in shard memory and from
> that shared memory Suricata will pick those packets for processing.
>
> Can you please share knowledge or some pointers on this?
I'd first start by looking at our somewhat dated documentation we have
for this:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Acquisition_API
while following along with an existing source such as source-pcap.c, and
perhaps another like source-erf-dag.c (while for DAG interfaces, its
essentially retrieving the packet from shared memory, just behind the
DAG libraries though). Basically your source gets the data from
wherever, and has to transform it into what is expected of Suricata.
Updates to the developer documentation are planned, but there should be
enough there to get a rough start.
Hope that helps,
Jason
More information about the Oisf-devel
mailing list