Re: Diameter

[asiaimbiss <karan_singhania1 () yahoo de>]

On 11.04.2012 01:42, Joshua Kinard wrote:
> On 04/10/2012 7:11 AM, karan singhania wrote:
>
> > hi everyone,
> > does anyone know how to parse diameter protocol traffic with snort?
> Doesn't Diameter travel primarily over SCTP?  Snort needs to support that in
> some mediocre format first.  I started a patch for basic SCTP support, but
> haven't worked on it in over a year now.
>
> I also think Diameter can travel over TCP, too.  So that would just be a
> matter of using whatever RFC's or protocol documents exist to parse Diameter
> and interface with Snort's internal APIs to create a dynamic preprocessor to
> inspect the traffic and possibly expose a few rule options for rule writers.
>
> Either case is going to be a challenge.  Not sure if SCTP or Diameter is
> high on the developer's list of priorities.
yes...it really seems to be a challenge. there's a language called 
binpac for describing protocol parser...it works very well with bro 
(another ids).
unfortunately i haven't found anything similar with snort

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!