Had some questions about the signature framework for detecting an application protocol.
Is it possible to manipulate bytes for endianness or will they always come in little endian?
Is it possible to perform bitwise opperations on payload bytes so that you may perform checks against subsets of bits within the byte?
For example I have to look at the first 4 bits of a bigendian defined application layer protocol. For my test cases I can match signatures against a known 8 bit little endian regex but not sure how to get to 4 bits because the next 4 bits will change in an operational environment.
If not Im guessing I would have to pump all traffic through my binpac analyzer and do the detection there?
Had some questions about the signature framework for detecting an application protocol.
Is it possible to manipulate bytes for endianness or will they always come in little endian?
Byte order isn’t considered; payloads are a string of bytes and signatures may use a regex to match on that.
Is it possible to perform bitwise opperations on payload bytes so that you may perform checks against subsets of bits within the byte?
For example I have to look at the first 4 bits of a bigendian defined application layer protocol. For my test cases I can match signatures against a known 8 bit little endian regex but not sure how to get to 4 bits because the next 4 bits will change in an operational environment.
I think so, but it would mean I could match the first 4 bits but would then have to include all possible permutations for the next 4 bits with each of those desired first 4.
Had hoped I could just generate a mask to grab the first four bits 0x0F, and then match against those.
Yeah, the result isn’t always concise and you may want to code/script something to auto-generate character classes for a given mask/value, but that’s a way that’s worked for some signatures I’ve done.
I think so, but it would mean I could match the first 4 bits but would
then have to include all possible permutations for the next 4 bits with
each of those desired first 4.
Had hoped I could just generate a mask to grab the first four bits 0x0F,
and then match against those.
Yeah, the result isn’t always concise and you may want to code/script
something to auto-generate character classes for a given mask/value, but
that’s a way that’s worked for some signatures I’ve done.
I will do that then.
As an alternative I wanted to look at every stream (tcp) and packet (udp)
then do the match in my analyzer code. But site documentation only
references DPM.cc to perform this hooking which I can only find in the 2.1
code base not 2.2 or 2.3. Which of the analyzers in the 2.3 release could
I use as a reference?
analyzer::Manager::BuildInitialAnalyzerTree() is what that the documentation should say for newer versions. Another way maybe you can do what you want without changing source code directly is to make a payload regex that matches everything and enables the analyzer you are writing.
documentation should say for newer versions. Another way maybe you can do
what you want without changing source code directly is to make a payload
regex that matches everything and enables the analyzer you are writing.