[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-devel
Subject: Re: [Oisf-devel] Develop a pre-processor for a TCP based protocol
From: DIALLO David <diallo () et ! esiea ! fr>
Date: 2014-10-30 13:48:04
Message-ID: 54524194.3060808 () et ! esiea ! fr
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Adrian,
Thanks for your feedback regarding to your observation (cosmetic nit).
Regards,
David DIALLO (Modbus pre-processor's author).
Le 28/10/2014 15:51, Adrian Falk a écrit :
> Thanks Victor. This is exactly what I was looking for.
>
> Following are an observation and a follow-up question.
>
> Observation: A cosmetic nit I saw when I pulled in the modbus files
> and ran Suricata. In the file app-layer-detect-proto.c add the
> following changes to fix this cosmetic nit:
> 688,689d687
> else if (pp_pe->alproto == ALPROTO_MODBUS)
> printf(" alproto: ALPROTO_MODBUS\n");
> 739,740d736
> else if (pp_pe->alproto == ALPROTO_MODBUS)
> printf(" alproto: ALPROTO_MODBUS\n");
>
>
> Follow-up question: Is there a file that you can point me to that
> performs packet reassembly at L7.
>
> Thanks.
>
> On Fri, Oct 3, 2014 at 3:03 AM, Victor Julien <victor@inliniac.net
> <mailto:victor@inliniac.net>> wrote:
>
> On 09/29/2014 05:01 PM, Adrian Falk wrote:
> > I am thinking about how to develop a Suricata pre-processor for
> a TCP
> > based L7 protocol. I have looked at the Suricata source code and
> have
> > also
> > reviewed
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module
>
> For this case, you'll need to use the app layer api instead.
> Sadly, it's
> not documented yet.
>
> > I have the following questions:
> >
> > 1. Adding code as per the above document will allow me to add new
> > keywords as well as allow me to perform protocol packet boilerplate
> > checks (len, checksum, etc). Correct?
> >
> > 2. How would I add support for protocol detection?
> >
> > 3. How would I add stateful packet processing for the L7 protocol?
> >
>
> I would like to suggest having a look at this work
> https://github.com/inliniac/suricata/pull/1134
>
> It does all that you ask for modbus.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list:
> oisf-devel@openinfosecfoundation.org
> <mailto:oisf-devel@openinfosecfoundation.org>
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Adrian,<br>
<br>
Thanks for your feedback regarding to your observation (cosmetic
nit).<br>
<br>
Regards,<br>
David DIALLO (Modbus pre-processor's author).<br>
<br>
<div class="moz-cite-prefix">Le 28/10/2014 15:51, Adrian Falk a
écrit :<br>
</div>
<blockquote
cite="mid:CAL+hx3K2iH8VrcfSRUeYQk1Hte=3=JAAjng6k5yrd67Tsxf-jA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Thanks Victor. This is exactly what I was looking
for.
<div><br>
</div>
<div>Following are an observation and a follow-up question.
<div><br>
</div>
<div>Observation: A cosmetic nit I saw when I pulled in the
modbus files and ran Suricata. In the file
app-layer-detect-proto.c add the following changes to fix
this cosmetic nit:</div>
<div>688,689d687</div>
<div> else if (pp_pe->alproto == \
ALPROTO_MODBUS)</div>
<div> printf(" \
alproto: ALPROTO_MODBUS\n");</div> <div>739,740d736</div>
<div>
<div> else if (pp_pe->alproto == ALPROTO_MODBUS)</div>
<div> printf(" \
alproto: ALPROTO_MODBUS\n");</div> </div>
<div><br>
</div>
<div><br>
</div>
<div>Follow-up question: Is there a file that you can point me
to that performs packet reassembly at L7. </div>
</div>
<div><br>
</div>
<div>Thanks.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 3, 2014 at 3:03 AM, Victor
Julien <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:victor@inliniac.net" \
target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 09/29/2014 05:01 PM, Adrian Falk wrote:<br>
> I am thinking about how to develop a Suricata
pre-processor for a TCP<br>
> based L7 protocol. I have looked at the Suricata
source code and have<br>
> also<br>
> reviewed <a moz-do-not-send="true"
href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module"
target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Inspection_Module</a><br>
<br>
</span>For this case, you'll need to use the app layer api
instead. Sadly, it's<br>
not documented yet.<br>
<span class=""><br>
> I have the following questions:<br>
><br>
> 1. Adding code as per the above document will allow
me to add new<br>
> keywords as well as allow me to perform protocol
packet boilerplate<br>
> checks (len, checksum, etc). Correct?<br>
><br>
> 2. How would I add support for protocol detection?<br>
><br>
> 3. How would I add stateful packet processing for the
L7 protocol?<br>
><br>
<br>
</span>I would like to suggest having a look at this work<br>
<a moz-do-not-send="true"
href="https://github.com/inliniac/suricata/pull/1134"
target="_blank">https://github.com/inliniac/suricata/pull/1134</a><br>
<br>
It does all that you ask for modbus.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a moz-do-not-send="true"
href="http://www.inliniac.net/" \
target="_blank">http://www.inliniac.net/</a><br> PGP: <a moz-do-not-send="true"
href="http://www.inliniac.net/victorjulien.asc"
target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a
moz-do-not-send="true"
href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a moz-do-not-send="true"
href="http://suricata-ids.org" \
target="_blank">http://suricata-ids.org</a> | Participate: <a moz-do-not-send="true"
href="http://suricata-ids.org/participate/"
target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a moz-do-not-send="true"
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel"
target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a moz-do-not-send="true"
href="https://redmine.openinfosecfoundation.org/"
target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Devel mailing list: <a class="moz-txt-link-abbreviated" \
href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" \
href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate: <a \
class="moz-txt-link-freetext" \
href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a>
List: <a class="moz-txt-link-freetext" \
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
Redmine: <a class="moz-txt-link-freetext" \
href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a></pre>
</blockquote>
<br>
</body>
</html>
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic