Snort mailing list archives
Re: Snort Supports SCTP
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 20 May 2013 13:52:01 -0400
On 05/20/2013 1:20 AM, Joshua Kinard wrote:
On 05/16/2013 7:53 AM, Russ Combs wrote:It is on our radar, but there are no specific plans at this point. On Wed, May 15, 2013 at 5:06 AM, marwane azzouzi <azzouzi.marwane () hotmail fr> wrote:Hello, My question concerns the support of the SCTP protocol by Snort in a mobile context (SIGTRAN). I see that there is no preprocessor to decode the SCTP protocol such like SIP or HTTP preprocessors... Did the team intend to develop that feature? Any information ? Thx marwaneTry the attached. I have a strange fascination with SCTP, so back in 2011, I copied the Stream5 UDP code and made a very generic SCTP Stream5 module, as well as duplicated all the code points where UDP was parsed to parse SCTP. I also added a DecodeSCTP function and various helpers to decode.c, and other bits that I'm not going to enumerate here. I just updated all the code today to work with snort-2.9.4.6, and tested it on both IPv4 and IPv6-based packet captures that I managed to hunt down off of Google.
[snip] Oops, I almost forgot to mention, I have a bunch of raw printf() statements left over in decoder.c from debugging. Remove those if they get too annoying with the supplied patch (to be added after the first two). I've only tested this code on the handful of SCTP packet captures off of Google, as I do not have a real SCTP setup to generate live traffic. -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
snort-2946-sctp-kill-debugging.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Supports SCTP marwane azzouzi (May 15)
- Re: Snort Supports SCTP Russ Combs (May 16)
- Re: Snort Supports SCTP Joshua Kinard (May 19)
- Re: Snort Supports SCTP Joshua Kinard (May 20)
- Re: Snort Supports SCTP Joshua Kinard (May 19)
- Re: Snort Supports SCTP Russ Combs (May 16)