[Snort-devel] Writing normalizer for snort

Matt Watchinski mwatchinski at ...402...
Tue Nov 12 08:20:31 EST 2013


You probably want to write a dynamic preprocessor that has some
normalization capabilities.

I'd start here :
http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/ on
how to build a dynamic preproc

Then I'd go here : http://wiki.wireshark.org/Protocols/bacnet as wireshark
has a decoder and some sample pcap traffic to test with.

You will need to be relatively proficient in C to write a dynamic
preprocessor.

Cheers,
-matt


On Mon, Nov 11, 2013 at 2:50 PM, Harry Härpfer <highend at ...3447...> wrote:

> Hello,
>
> I'm a computer science student and for my bachelor thesis I need to
> implement BACnet/IP (UDP) support in
> snort. Means to write a normalizer for the BACnet/IP network and
> application layers (w/o the rules).
>
> As snort is all new to me it would be of great help if anyone could give
> me a short overview on how the normalizer code works and which parts of the
> source code would be involved in implementing BACnet/IP support.
>
> I'm not really a professional C programmer therefor extracting these
> informations from the code is a bit of a hassle for me.
>
> Also any links to more specific documentation than the README files and
> the user manual are welcome.
>
> Thx in advance.
>
>
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
> Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
> register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131112/401e0c48/attachment.html>


More information about the Snort-devel mailing list