My idea is to implement the detection of cycles between two IPs. But I don’t know how to write a Snort plugin, and and deploy it in Suricata. Can someone help me?
First you should decide where your custom detection fits. Maybe it could be done with a Lua rule, which would be the simplest – 6.34. Lua Scripting — Suricata 6.0.0 documentation.
If it does need to be done as a plugin, then our plugin support is very young. We really only officially support output (logging) plugins and input (capture) plugins. You might be better off working directly in the code at first, as in modifying Suricata. This of course is much more involved, requiring time to get up to speed with Suricata internals and development.
Thank you! I wonder if LUA scripts are mature enough to support detecting cycles between two IPs. For example, when the period between two IP addresses is not 100s, suricata will alarm, otherwise it will not alarm.
Can the Lua script recognize the NTP network protocol and extract specific bytes of data content from the traffic collected by the network card?
While we do support decoding NTP, it doesn’t look like its been exposed to Lua yet.