[Oisf-users] Is there a guide how to add a new application layer protocol plugin

Tom DeCanio decanio.tom at gmail.com
Wed Apr 12 15:58:04 UTC 2017


My DHCP code is here
https://github.com/decanio/suricata-np/tree/feature/dhcp-v2 for those who
are curious.  Close to sending a PR for this.  Comments are welcome.

Tom

On Mon, Apr 10, 2017 at 8:33 AM Tom DeCanio <decanio.tom at gmail.com> wrote:

> We've got a DHCP implementation well underway.  I need to push the most
> recent work to my pubic git repo.
>
> Tom
>
> On Sun, Apr 9, 2017 at 10:16 PM, tidy at holonetsecurity.com <
> tidy at holonetsecurity.com> wrote:
>
> Jason, great and thanks very much for your detail info and will update you
> when I run into issue.
>
> -Tidy
>
> > On Apr 10, 2017, at 12:11 PM, Jason Ish <lists at ish.cx> wrote:
> >
> > On 09/04/17 08:55 PM, tidy at holonetsecurity.com wrote:
> >> I would like to add application protocol parsing to suricata engine,
> >> example: DHCP protocol. what main framework code we need to change ?
> >> Thanks.
> >
> > There is not much of a guide right now, but there are some templates and
> generation scripts designed to help you get started.
> >
> > For the actual parsing of the protocol and handling protocol state, see:
> > src/app-layer-template.[ch]
> >
> > For logging application events (ie: dns, tls, etc) see:
> > src/output-json-template.c
> >
> > For performaning content inspection on buffers extracted as part of the
> app-layer see:
> > src/detect-template-buffer.c
> >
> > There are some scripts to handle some of the boilerplate, such as:
> >
> > - To stub the initial app-layer for your protocol:
> >  ./scripts/setup-app-layer.sh DHCP
> > (sorry, there is a typo in this script...  edx instead of ed, so just
> fix that up before running)
> >
> > - To stub out the application logging:
> >  ./scripts/setup-app-layer-logger.sh DHCP
> >
> > - And to stub out detection:
> >  ./scripts/setup-app-layer-detect-detect.sh DHCP
> >
> > Please note that I think the scripts may be do for some updating, so
> please let me know if you run into any issues.
> >
> > As for DHCP, please note than an implementation is already under review
> and should show up soon.
> >
> > Jason
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170412/ec87fea0/attachment-0002.html>


More information about the Oisf-users mailing list