How to leverage Suricata app layer inspection

I would like to make use of Suricata app layer modules to inspect payload (for app layer protocols) without using suricata tcp/stream/reassembly modules. Would like to pass payload directly to app layer parsers and get the verdict after matching rules. Is there an interface to pass payload directly for app layer parsing and inspection. If anyone explored this use case, appreciate your suggestions/thoughts.

Unfortunately at this time, there is not. This could be a long-term goal of the library support.

At this time, the app-layer parsers really only concern themselves with parsing the protocol into buffers, but not the actual inspection of that data. So there is rather tight coupling between application parsers, and the Suricata detection engine when it comes to parsing and detection.

1 Like

You can have a look at the fuzz targets though, some of them do this I think. It’s quite hackish, but might offer some ideas. See src/tests/fuzz/ in the repo.