[Dev] New AppLayer Detection on TCP Protocol


I am currently developping a new app-layer detection for a specific tcp-based protocol.

Problem is : I can count one transaction no problem. So conversation between a client and server I can catch and make parsing/analyszing if the protocol is well implemented.

However beyond one conversation (interaction between one client and one server), I don’t understand how I can increment the Transaction part to handle the other conversations (another client with the same server, or another client with another server, etc.)

If someone could enlighten me on this, that would be very nice :slight_smile:
(I have the code I can share, RFC is public)

Thank you in Advance for your help!

Hi @jc_r!
Welcome to our forum. :slight_smile:

You would generally associate the transactions with a protocol “State”. Transactions can be saved in an array as a part of this state. Each protocol has some kind of an identifier (say idn) that matches a request-response pair. Each time you receive a new request, you update the transaction ID after checking if the transaction with ID idn does not already exist in the State transaction array.

Are you writing this in C or Rust? Maybe I could link certain parts of code to help you.

Hi @sbhardwaj !

Thank you very much :slight_smile:

Although this is my first time on the forum, I have been developping on the platform since 5 years, but mostly UDP protocols, which is completely different.

I have sometimes some IDs indeed. But the protocol is quite similar to the FTP protocol : once you open the connection to the server, there will be a flow of “commands” or rahter messages. Some messages will be answered to (and thus have what they call a SEQID for sequence ID), some will not (heartbeat)

I am currently developping it in C. Not at ease with Rust at the moment.

So far, I have a State, I have registered a pointer to another Transaction structure and a “transaction_list” being an array.

The Transaction structure has an ID, a detectflag to server and to client, decoder_events, detection state.

The thing is, how do I do to tell that a packet and its flow will be part of a new Transaction ?

Thank you in Advance for the help you can give on this :slight_smile: Greatly appreciated !


Had to let down on this one for a while, but back on it.

So, to progress on this I made some unittests to make sure that my ProbingParser was good and that my protocol analysis was okay.
I took the bytes that correspond to the application layer from a packet tagged in pcap for the unittest, and the test passed.

The pcap contains several TCP packets :

  • ACK packets,
  • Protocol specific packets.

In the configuration, as the packet was captured from a live network, I activated “midstream” option.

Now, when I read the packet from Suricata (-r option), it appears that the engine takes an ACK packet, try to analyze it, and as the packet is not detected by my ProbingParser option, that’s it… The whole flow avoids any detection on packet malformation, tamper within the Application layer data etc.

How is that possible? How can I make Suricata analyze every packet no matter if they belong to a common flow or no? In my current case study, it is true they belong to a same flow, but I need to analyze each packet, one by one.

Thank you in Advance