Snort mailing list archives

Re: Diameter

From: Joshua Kinard <kumba () gentoo org>
Date: Wed, 11 Apr 2012 08:01:09 -0400

On 04/11/2012 7:03 AM, asiaimbiss wrote:

yes...it really seems to be a challenge. there's a language called 
binpac for describing protocol parser...it works very well with bro 
(another ids).
unfortunately i haven't found anything similar with snort


Snort is written in C.  All you need is a book on C programming, the GDB
debugger (plus ddd for graphical debugging), a pot of coffee, the RFC's and
any other protocol docs on whatever it is you want to decode, and a pillow
to soften the inevitable head-against-desk motions you will make over a
screwy pointer doing something it shouldn't.  The Snort source is already
available, and you can even run it through a cross-referencer like cscope or
lxr if you really want.

The hard part is figuring out what the devs are doing in some of the code
blocks.  Some areas are really well documented (like src/pcrm.c) and others
leave you scratching your head on why a particular function does something
(i.e., portions of Stream5).

After that, it's just writing code that plays with the bits and bytes in the
fashion described by the protocol specs.  No need to have a specialized
language to describe a protocol parser.  Have a look at src/decode.c for the
core set of low-level (i.e., layers 2, 3, and 4) protocol decoders.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

(no subject) karan singhania (Apr 10)
- Re: Diameter Joshua Kinard (Apr 10)
  - Re: Diameter asiaimbiss (Apr 11)
    - Re: Diameter Joshua Kinard (Apr 11)
- <Possible follow-ups>
- (no subject) Indrajeet Gupta (Apr 11)
  - Re: (no subject) CleBeer (Apr 11)
- (no subject) Simon Blixt (Apr 21)
  - Re: problem with Snort-rules not matching [SOLVED] Simon Blixt (Apr 25)
- (no subject) afessa akahc (May 14)
- (no subject) Kungu Panda (Jun 21)
  - Re: (no subject) Naresh Narang (Jun 21)
  - Re: (no subject) Peter Bates (Jun 21)
- (no subject) Deepika p (Jun 22)
  - Re: (no subject) Charles Pigeon (Jun 23)