[Snort-devel] Writing normalizer for snort
highend at ...3447...
Tue Nov 12 10:37:46 EST 2013
Thanks for the Links!
Yes, I've seen that wireshark already has some BACnet code.
Still, for a better understanding (and a starting point) I would appreciate
a short introduction on how the preprocessor work and which code parts
(beside the obvious) are involved.
I know, asking this already disqualifies me for writing a
preprocessor/normalizer but still this would be a very interesting task for
me. Also it would finally help me to decide if I'm capable of writing one.
2013/11/12 Matt Watchinski <mwatchinski at ...402...>
> You probably want to write a dynamic preprocessor that has some
> normalization capabilities.
> I'd start here :
> http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/ on
> how to build a dynamic preproc
> Then I'd go here : http://wiki.wireshark.org/Protocols/bacnet as
> wireshark has a decoder and some sample pcap traffic to test with.
> You will need to be relatively proficient in C to write a dynamic
> On Mon, Nov 11, 2013 at 2:50 PM, Harry Härpfer <highend at ...3447...> wrote:
>> I'm a computer science student and for my bachelor thesis I need to
>> implement BACnet/IP (UDP) support in
>> snort. Means to write a normalizer for the BACnet/IP network and
>> application layers (w/o the rules).
>> As snort is all new to me it would be of great help if anyone could give
>> me a short overview on how the normalizer code works and which parts of the
>> source code would be involved in implementing BACnet/IP support.
>> I'm not really a professional C programmer therefor extracting these
>> informations from the code is a bit of a hassle for me.
>> Also any links to more specific documentation than the README files and
>> the user manual are welcome.
>> Thx in advance.
>> November Webinars for C, C++, Fortran Developers
>> Accelerate application performance with scalable programming models.
>> techniques for threading, error checking, porting, and tuning. Get the
>> from the latest Intel processors and coprocessors. See abstracts and
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> Please visit http://blog.snort.org for the latest news about Snort!
> Matthew Watchinski
> V.P. Vulnerability Research (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel