Re: Diameter

[Joshua Kinard <kumba () gentoo org>]

On 04/10/2012 7:11 AM, karan singhania wrote:

> hi everyone,
> does anyone know how to parse diameter protocol traffic with snort?

Doesn't Diameter travel primarily over SCTP?  Snort needs to support that in
some mediocre format first.  I started a patch for basic SCTP support, but
haven't worked on it in over a year now.

I also think Diameter can travel over TCP, too.  So that would just be a
matter of using whatever RFC's or protocol documents exist to parse Diameter
and interface with Snort's internal APIs to create a dynamic preprocessor to
inspect the traffic and possibly expose a few rule options for rule writers.

Either case is going to be a challenge.  Not sure if SCTP or Diameter is
high on the developer's list of priorities.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!