[Oisf-users] Is there a guide how to add a new application layer protocol plugin
tidy at holonetsecurity.com
tidy at holonetsecurity.com
Thu Apr 13 04:54:30 UTC 2017
Cool, Thanks Tom.
-Tidy
> On Apr 12, 2017, at 11:58 PM, Tom DeCanio <decanio.tom at gmail.com> wrote:
>
>
> My DHCP code is here https://github.com/decanio/suricata-np/tree/feature/dhcp-v2 <https://github.com/decanio/suricata-np/tree/feature/dhcp-v2> for those who are curious. Close to sending a PR for this. Comments are welcome.
>
> Tom
>
> On Mon, Apr 10, 2017 at 8:33 AM Tom DeCanio <decanio.tom at gmail.com <mailto:decanio.tom at gmail.com>> wrote:
> We've got a DHCP implementation well underway. I need to push the most recent work to my pubic git repo.
>
> Tom
>
> On Sun, Apr 9, 2017 at 10:16 PM, tidy at holonetsecurity.com <mailto:tidy at holonetsecurity.com> <tidy at holonetsecurity.com <mailto:tidy at holonetsecurity.com>> wrote:
> Jason, great and thanks very much for your detail info and will update you when I run into issue.
>
> -Tidy
>
> > On Apr 10, 2017, at 12:11 PM, Jason Ish <lists at ish.cx <mailto:lists at ish.cx>> wrote:
> >
> > On 09/04/17 08:55 PM, tidy at holonetsecurity.com <mailto:tidy at holonetsecurity.com> wrote:
> >> I would like to add application protocol parsing to suricata engine,
> >> example: DHCP protocol. what main framework code we need to change ?
> >> Thanks.
> >
> > There is not much of a guide right now, but there are some templates and generation scripts designed to help you get started.
> >
> > For the actual parsing of the protocol and handling protocol state, see:
> > src/app-layer-template.[ch]
> >
> > For logging application events (ie: dns, tls, etc) see:
> > src/output-json-template.c
> >
> > For performaning content inspection on buffers extracted as part of the app-layer see:
> > src/detect-template-buffer.c
> >
> > There are some scripts to handle some of the boilerplate, such as:
> >
> > - To stub the initial app-layer for your protocol:
> > ./scripts/setup-app-layer.sh DHCP
> > (sorry, there is a typo in this script... edx instead of ed, so just fix that up before running)
> >
> > - To stub out the application logging:
> > ./scripts/setup-app-layer-logger.sh DHCP
> >
> > - And to stub out detection:
> > ./scripts/setup-app-layer-detect-detect.sh DHCP
> >
> > Please note that I think the scripts may be do for some updating, so please let me know if you run into any issues.
> >
> > As for DHCP, please note than an implementation is already under review and should show up soon.
> >
> > Jason
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170413/90e06ce4/attachment-0002.html>
More information about the Oisf-users
mailing list