No subject


Thu Nov 23 16:31:58 EST 2017


protocol numbering scheme that could describe protocols at any of
the 7 (or whatever) layers.  (The system is agnostic about layering;
I'm just explaining myself here.)  Handlers for these protocols
would be registered.  The handlers would be fed packets by the core.
If these handlers decode higher-layer protocols, then they would pass the
packets of this protocol back into the core, which would submit it to the
appropriate handler.  As long as at least one byte is stripped from the
packet each time a layer is crossed, which is a reasonable condition to
put on protocol handlers, then eventually this process will terminate,
because packet acquisition engines provide finite-sized packets.

The grinders and the preprocessors would be converted into these protocol
handlers.

PROBLEMS

Yes, you, the reader, are expected to think about these questions and
post your thoughts.

0) I think that a system like the above could, fairly easily, be made
compatible with the snort-1 rule format.

1) Are handlers code, or are they rules?  What parts of this should be
done with code, and which parts with rules?  Will each handler need its
own rule input API, or its own set of operators in the universal rule API?
I don't know right now what the right answer is, but I do think that I
would recognize it if it bit me, so post your ideas.

2) For stateful protocols, how do you track state?  Who is responsible for
state information?  How is it shared across different parts of the stack?
How does garbage collection work for state information?

3) Are protocols ever _necessarily_ hierarchical?  I personally do not
think so, but I am certainly open to arguments that they are.

4) How do we name/number protocols across layers?  There are physical
media, as numbered by the pcap media types (ethernet, FDDI), ethernet
protocols (IP, Appletalk), IP protocols (TCP, UDP), TCP protocols (HTTP,
SMTP), and now, HTTP protocols.  We need a universal way to denote these.
I think that this will probably be something like (<regime-id>, <protocol
number>).  Regime would be one of:

	- pcap media
	- ethernet protocols
	- PPP protocols
	- TCP protocols
	- etc.

Each of these already has its own integer protocol numbering scheme.

The TCP handler would know that when it sees traffic of (TCP, 202),
that this is appletalk name binding traffic, and that the payload should
be resubmitted to the core as (DDP, 2).  (From my cursory examination
of the netatalk source code, DDP is itself either (AFP, 2) or (AT, 0);
I do not understand appletalk and really have no idea.  Many of these
protocol enumerations are spelled out in RFC 1700, which I've not yet
surveyed for these purposes.)

That's all I've got for now.  Hopefully this will be enough to get
other people's creative juices flowing over this idea and get some ideas
stirred up.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list