Re: Snort Supports SCTP

[Joshua Kinard <kumba () gentoo org>]

On 05/20/2013 1:20 AM, Joshua Kinard wrote:
> On 05/16/2013 7:53 AM, Russ Combs wrote:
> > It is on our radar, but there are no specific plans at this point.
> >
> > On Wed, May 15, 2013 at 5:06 AM, marwane azzouzi
> > <azzouzi.marwane () hotmail fr> wrote:
> > > Hello,
> > >
> > > My question concerns the support of the SCTP protocol by Snort in a mobile
> > > context (SIGTRAN).
> > > I see that there is no preprocessor to decode the SCTP protocol such like
> > > SIP or HTTP preprocessors...
> > > Did the team intend to develop that feature?
> > >
> > > Any information ?
> > >
> > > Thx
> > >
> > > marwane
>
> Try the attached.  I have a strange fascination with SCTP, so back in 2011,
> I copied the Stream5 UDP code and made a very generic SCTP Stream5 module,
> as well as duplicated all the code points where UDP was parsed to parse
> SCTP.  I also added a DecodeSCTP function and various helpers to decode.c,
> and other bits that I'm not going to enumerate here.  I just updated all the
> code today to work with snort-2.9.4.6, and tested it on both IPv4 and
> IPv6-based packet captures that I managed to hunt down off of Google.
[snip]

Oops, I almost forgot to mention, I have a bunch of raw printf() statements
left over in decoder.c from debugging.  Remove those if they get too
annoying with the supplied patch (to be added after the first two).  I've
only tested this code on the handful of SCTP packet captures off of Google,
as I do not have a real SCTP setup to generate live traffic.


-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2946-sctp-kill-debugging.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!