[Oisf-users] Is there a guide how to add a new application layer protocol plugin

Jason Ish lists at ish.cx
Mon Apr 10 04:11:14 UTC 2017

On 09/04/17 08:55 PM, tidy at holonetsecurity.com wrote:
> I would like to add application protocol parsing to suricata engine,
> example: DHCP protocol. what main framework code we need to change ?
> Thanks.

There is not much of a guide right now, but there are some templates and 
generation scripts designed to help you get started.

For the actual parsing of the protocol and handling protocol state, see:

For logging application events (ie: dns, tls, etc) see:

For performaning content inspection on buffers extracted as part of the 
app-layer see:

There are some scripts to handle some of the boilerplate, such as:

- To stub the initial app-layer for your protocol:
   ./scripts/setup-app-layer.sh DHCP
(sorry, there is a typo in this script...  edx instead of ed, so just 
fix that up before running)

- To stub out the application logging:
   ./scripts/setup-app-layer-logger.sh DHCP

- And to stub out detection:
   ./scripts/setup-app-layer-detect-detect.sh DHCP

Please note that I think the scripts may be do for some updating, so 
please let me know if you run into any issues.

As for DHCP, please note than an implementation is already under review 
and should show up soon.


More information about the Oisf-users mailing list