[Oisf-users] Is there a guide how to add a new application layer protocol plugin
Tom DeCanio
decanio.tom at gmail.com
Thu Apr 13 21:35:09 UTC 2017
You're welcome! I just pushed another feature/dhcp-v3 branch to the repo.
This fixes a race condition that can occur (mostly in with running with -r
file.pcap mode when running with multiple packet processing threads. If
the request/response got processed out of order the src_ip and dest_ip
wound up with 0.0.0.0 255.255.255.255 respectively which I didn't like. So
I arranges things so that the ip address pair from the response is always
used in the log output which is more meaningful and leads to less confusion.
If you have suggestions for improvements or additional functionality in the
DHCP code let me know and I'll look into adding it.
PR should happen soon.
Tom
On Wed, Apr 12, 2017 at 9:56 PM tidy at holonetsecurity.com <
tidy at holonetsecurity.com> wrote:
> Cool, Thanks Tom.
>
> -Tidy
>
> On Apr 12, 2017, at 11:58 PM, Tom DeCanio <decanio.tom at gmail.com> wrote:
>
>
> My DHCP code is here
> https://github.com/decanio/suricata-np/tree/feature/dhcp-v2 for those who
> are curious. Close to sending a PR for this. Comments are welcome.
>
> Tom
>
> On Mon, Apr 10, 2017 at 8:33 AM Tom DeCanio <decanio.tom at gmail.com> wrote:
>
>> We've got a DHCP implementation well underway. I need to push the most
>> recent work to my pubic git repo.
>>
>> Tom
>>
>> On Sun, Apr 9, 2017 at 10:16 PM, tidy at holonetsecurity.com <
>> tidy at holonetsecurity.com> wrote:
>>
>> Jason, great and thanks very much for your detail info and will update
>> you when I run into issue.
>>
>> -Tidy
>>
>> > On Apr 10, 2017, at 12:11 PM, Jason Ish <lists at ish.cx> wrote:
>> >
>> > On 09/04/17 08:55 PM, tidy at holonetsecurity.com wrote:
>> >> I would like to add application protocol parsing to suricata engine,
>> >> example: DHCP protocol. what main framework code we need to change ?
>> >> Thanks.
>> >
>> > There is not much of a guide right now, but there are some templates
>> and generation scripts designed to help you get started.
>> >
>> > For the actual parsing of the protocol and handling protocol state, see:
>> > src/app-layer-template.[ch]
>> >
>> > For logging application events (ie: dns, tls, etc) see:
>> > src/output-json-template.c
>> >
>> > For performaning content inspection on buffers extracted as part of the
>> app-layer see:
>> > src/detect-template-buffer.c
>> >
>> > There are some scripts to handle some of the boilerplate, such as:
>> >
>> > - To stub the initial app-layer for your protocol:
>> > ./scripts/setup-app-layer.sh DHCP
>> > (sorry, there is a typo in this script... edx instead of ed, so just
>> fix that up before running)
>> >
>> > - To stub out the application logging:
>> > ./scripts/setup-app-layer-logger.sh DHCP
>> >
>> > - And to stub out detection:
>> > ./scripts/setup-app-layer-detect-detect.sh DHCP
>> >
>> > Please note that I think the scripts may be do for some updating, so
>> please let me know if you run into any issues.
>> >
>> > As for DHCP, please note than an implementation is already under review
>> and should show up soon.
>> >
>> > Jason
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170413/b91cff76/attachment-0002.html>
More information about the Oisf-users
mailing list