[Oisf-users] Is there a guide how to add a new application layer protocol plugin
Jason Ish
lists at ish.cx
Mon Apr 10 04:11:14 UTC 2017
On 09/04/17 08:55 PM, tidy at holonetsecurity.com wrote:
> I would like to add application protocol parsing to suricata engine,
> example: DHCP protocol. what main framework code we need to change ?
> Thanks.
There is not much of a guide right now, but there are some templates and
generation scripts designed to help you get started.
For the actual parsing of the protocol and handling protocol state, see:
src/app-layer-template.[ch]
For logging application events (ie: dns, tls, etc) see:
src/output-json-template.c
For performaning content inspection on buffers extracted as part of the
app-layer see:
src/detect-template-buffer.c
There are some scripts to handle some of the boilerplate, such as:
- To stub the initial app-layer for your protocol:
./scripts/setup-app-layer.sh DHCP
(sorry, there is a typo in this script... edx instead of ed, so just
fix that up before running)
- To stub out the application logging:
./scripts/setup-app-layer-logger.sh DHCP
- And to stub out detection:
./scripts/setup-app-layer-detect-detect.sh DHCP
Please note that I think the scripts may be do for some updating, so
please let me know if you run into any issues.
As for DHCP, please note than an implementation is already under review
and should show up soon.
Jason
More information about the Oisf-users
mailing list