How should a non-application layer protocol like Profinet be added to Suricata? Can a Python code template be used to generate some code, similar to how application-layer code is introduced?
What do you want for it ? Logging ? Detection ?
Is Profinet directly over Ethernet and not over TCP ?
From what I saw, for real-time, Profinet skips TCP/UDP…
Some info gathered from more senior team members:
We have a redmine ticket to track such type of work, in general: Task #5678: tracking: Parse protocols that are not over TCP/UDP - Suricata - Open Information Security Foundation
We recently have ARP support merged, thanks to the effort of Giuseppe Longo - if someone would like to try something like that, it’s a good idea to check his work: Feature #6827: arp: implement decoder and logger - Suricata - Open Information Security Foundation
There’s also suricata/scripts/setup-decoder.sh at master · OISF/suricata · GitHub, but is probably less up-to-date than the work done for ARP support.
And, last but not least - while these show that it is possible to implement such a type of protocol for Suri, it’s important to bear in mind that Transactions - which we have for Application layer protocols - are not supported for non-TCP/UDP protos…
1 Like
Profinet uses Ethernet but does not use TCP or UDP.My goal is to detect and parse using Suricata.
Thank you for your response. I’ll go check out the relevant information now.