Home page logo
/

snort logo Snort mailing list archives

Re: Snort Supports SCTP
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 20 May 2013 13:52:01 -0400

On 05/20/2013 1:20 AM, Joshua Kinard wrote:
On 05/16/2013 7:53 AM, Russ Combs wrote:
It is on our radar, but there are no specific plans at this point.

On Wed, May 15, 2013 at 5:06 AM, marwane azzouzi
<azzouzi.marwane () hotmail fr> wrote:

Hello,

My question concerns the support of the SCTP protocol by Snort in a mobile
context (SIGTRAN).
I see that there is no preprocessor to decode the SCTP protocol such like
SIP or HTTP preprocessors...
Did the team intend to develop that feature?

Any information ?

Thx

marwane

Try the attached.  I have a strange fascination with SCTP, so back in 2011,
I copied the Stream5 UDP code and made a very generic SCTP Stream5 module,
as well as duplicated all the code points where UDP was parsed to parse
SCTP.  I also added a DecodeSCTP function and various helpers to decode.c,
and other bits that I'm not going to enumerate here.  I just updated all the
code today to work with snort-2.9.4.6, and tested it on both IPv4 and
IPv6-based packet captures that I managed to hunt down off of Google.
[snip]

Oops, I almost forgot to mention, I have a bunch of raw printf() statements
left over in decoder.c from debugging.  Remove those if they get too
annoying with the supplied patch (to be added after the first two).  I've
only tested this code on the handful of SCTP packet captures off of Google,
as I do not have a real SCTP setup to generate live traffic.


-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2946-sctp-kill-debugging.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault