[Oisf-users] Is there a guide how to add a new application layer protocol plugin
tidy at holonetsecurity.com
tidy at holonetsecurity.com
Mon Apr 10 01:16:12 EDT 2017
Jason, great and thanks very much for your detail info and will update you when I run into issue.
-Tidy
> On Apr 10, 2017, at 12:11 PM, Jason Ish <lists at ish.cx> wrote:
>
> On 09/04/17 08:55 PM, tidy at holonetsecurity.com wrote:
>> I would like to add application protocol parsing to suricata engine,
>> example: DHCP protocol. what main framework code we need to change ?
>> Thanks.
>
> There is not much of a guide right now, but there are some templates and generation scripts designed to help you get started.
>
> For the actual parsing of the protocol and handling protocol state, see:
> src/app-layer-template.[ch]
>
> For logging application events (ie: dns, tls, etc) see:
> src/output-json-template.c
>
> For performaning content inspection on buffers extracted as part of the app-layer see:
> src/detect-template-buffer.c
>
> There are some scripts to handle some of the boilerplate, such as:
>
> - To stub the initial app-layer for your protocol:
> ./scripts/setup-app-layer.sh DHCP
> (sorry, there is a typo in this script... edx instead of ed, so just fix that up before running)
>
> - To stub out the application logging:
> ./scripts/setup-app-layer-logger.sh DHCP
>
> - And to stub out detection:
> ./scripts/setup-app-layer-detect-detect.sh DHCP
>
> Please note that I think the scripts may be do for some updating, so please let me know if you run into any issues.
>
> As for DHCP, please note than an implementation is already under review and should show up soon.
>
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list