Snort mailing list archives
Re: Writing normalizer for snort
From: highend root <highend () onycs com>
Date: Tue, 12 Nov 2013 16:37:46 +0100
Thanks for the Links! Yes, I've seen that wireshark already has some BACnet code. Still, for a better understanding (and a starting point) I would appreciate a short introduction on how the preprocessor work and which code parts (beside the obvious) are involved. I know, asking this already disqualifies me for writing a preprocessor/normalizer but still this would be a very interesting task for me. Also it would finally help me to decide if I'm capable of writing one. Thx. 2013/11/12 Matt Watchinski <mwatchinski () sourcefire com>
You probably want to write a dynamic preprocessor that has some normalization capabilities. I'd start here : http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/ on how to build a dynamic preproc Then I'd go here : http://wiki.wireshark.org/Protocols/bacnet as wireshark has a decoder and some sample pcap traffic to test with. You will need to be relatively proficient in C to write a dynamic preprocessor. Cheers, -matt On Mon, Nov 11, 2013 at 2:50 PM, Harry Härpfer <highend () onycs com> wrote:Hello, I'm a computer science student and for my bachelor thesis I need to implement BACnet/IP (UDP) support in snort. Means to write a normalizer for the BACnet/IP network and application layers (w/o the rules). As snort is all new to me it would be of great help if anyone could give me a short overview on how the normalizer code works and which parts of the source code would be involved in implementing BACnet/IP support. I'm not really a professional C programmer therefor extracting these informations from the code is a bit of a hassle for me. Also any links to more specific documentation than the README files and the user manual are welcome. Thx in advance. ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-- Matthew Watchinski V.P. Vulnerability Research (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org && http://www.snort.org/vrt/
------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Writing normalizer for snort Harry Härpfer (Nov 11)
- Re: Writing normalizer for snort Matt Watchinski (Nov 12)
- Re: Writing normalizer for snort highend root (Nov 12)
- Re: Writing normalizer for snort Matt Watchinski (Nov 12)