[Snort-devel] Writing normalizer for snort

highend root highend at ...3447...
Tue Nov 12 10:37:46 EST 2013

Thanks for the Links!

Yes, I've seen that wireshark already has some BACnet code.

Still, for a better understanding (and a starting point) I would appreciate
a short introduction on how the preprocessor work and which code parts
(beside the obvious) are involved.

I know, asking this already disqualifies me for writing a
preprocessor/normalizer but still this would be a very interesting task for
me. Also it would finally help me to decide if I'm capable of writing one.


2013/11/12 Matt Watchinski <mwatchinski at ...402...>

> You probably want to write a dynamic preprocessor that has some
> normalization capabilities.
> I'd start here :
> http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/ on
> how to build a dynamic preproc
> Then I'd go here : http://wiki.wireshark.org/Protocols/bacnet as
> wireshark has a decoder and some sample pcap traffic to test with.
> You will need to be relatively proficient in C to write a dynamic
> preprocessor.
> Cheers,
> -matt
> On Mon, Nov 11, 2013 at 2:50 PM, Harry Härpfer <highend at ...3447...> wrote:
>> Hello,
>> I'm a computer science student and for my bachelor thesis I need to
>> implement BACnet/IP (UDP) support in
>> snort. Means to write a normalizer for the BACnet/IP network and
>> application layers (w/o the rules).
>> As snort is all new to me it would be of great help if anyone could give
>> me a short overview on how the normalizer code works and which parts of the
>> source code would be involved in implementing BACnet/IP support.
>> I'm not really a professional C programmer therefor extracting these
>> informations from the code is a bit of a hassle for me.
>> Also any links to more specific documentation than the README files and
>> the user manual are welcome.
>> Thx in advance.
>> ------------------------------------------------------------------------------
>> November Webinars for C, C++, Fortran Developers
>> Accelerate application performance with scalable programming models.
>> Explore
>> techniques for threading, error checking, porting, and tuning. Get the
>> most
>> from the latest Intel processors and coprocessors. See abstracts and
>> register
>> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> Please visit http://blog.snort.org for the latest news about Snort!
> --
> Matthew Watchinski
> V.P. Vulnerability Research (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131112/9ad14baa/attachment.html>

More information about the Snort-devel mailing list