[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-devel
Subject: Re: [Oisf-devel] Adding a Custom Action to Suricata
From: Victor Julien <victor () inliniac ! net>
Date: 2016-02-25 8:09:13
Message-ID: 56CEB6A9.9040709 () inliniac ! net
[Download RAW message or body]
(back to the list)
On 24-02-16 09:56, Mário Costa wrote:
> Hi Victor,
>
> I want to perform application layer protocol signature, matching, but
> in the scenario I'm the endpoint, and it may require several, client
> server message exchange to identify the protocol.
Suricata won't be able to act as an endpoint itself.
Have you tried using the rule language to identify a protocol? Using
patterns, regex and/or lua script in combination with flowbits/flowints
you should be able to get a long way.
Do you have a specific protocol in mind?
Cheers,
Victor
> On Tue, Feb 23, 2016 at 12:23 PM, Victor Julien <victor@inliniac.net> wrote:
> > On 23-02-16 00:16, Mário Costa wrote:
> > > I wanted to, add a set of rules (signature), when the signature is
> > > detected start start a server (e.g http, or other), with a protocol
> > > state machine, to communicate with an incoming connection. Similar to
> > > what Haka says it does, but at the tcp layer.
> >
> > What kind of interaction are you seeking with a connection? In general
> > Suricata won't be able to start a server, although using the lua
> > scripting you can do many including start external processes if you'd
> > want. Not sure if that is wise though :)
> >
> > Cheers,
> > Victor
> >
> > > Still not sure if Suricata is the best tool for that ...
> > >
> > > PS:
> > > This page is missing
> > > (https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Output_Plugins?parent=Suricata_Developers_Guide),
> > > is referenced in other plugins
> > >
> > > Thanks,
> > > mc
> > >
> > > On Mon, Feb 22, 2016 at 10:46 PM, Andreas Herz <andi@geekosphere.org> wrote:
> > > > On 22/02/16 at 22:43, Mário Costa wrote:
> > > > > I wanted to add a custom action to suricata, is there any Dev Guide, I
> > > > > could use the help on that ?
> > > >
> > > > Would you like to share with us what you have in mind?
> > > >
> > > > But this is our guide:
> > > >
> > > > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide
> > > >
> > > > --
> > > > Andreas Herz
> > > > _______________________________________________
> > > > Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Participate: \
> > > > http://suricata-ids.org/participate/
> > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > > > Redmine: https://redmine.openinfosecfoundation.org/
> > > > Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
> > > _______________________________________________
> > > Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Participate: \
> > > http://suricata-ids.org/participate/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > > Redmine: https://redmine.openinfosecfoundation.org/
> > > Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> > Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic