[netsa-tools-discuss] Some queries regarding analysis of variable length fields
asad
a.alii85 at gmail.com
Tue Oct 6 10:48:27 EDT 2015
Hey Rima,
Sound like quiet a project you are working on. From experience, i can guide
you that you should look into YAF as it provides dpi feature using plugins
and it also provide feature of app-labeling using regex. Those rules are
placed in
usr/local/etc/yafApplabelRules.conf
For one thing I understand that app-naming cannot be done in most cases
without a pcap or dpi feature enabled. But with IPFIX with use of
information elements you can get away with something more. Also, netflows
devices which are polled in your cases, If it follows IPFIX standard should
it not know how these information elements are being send. The template
shall decide that matter. For e.g An enterprise-specific Information
Element representing proprietary can be done using type and length after
that its the collection / processing part that needs to parse the template
? Please guide me If my understanding is wrong.
On Mon, Oct 5, 2015 at 9:01 PM, Rima Saha <saharima at gmail.com> wrote:
> Greetings CERT-team,
>
> We are using SiLK as an IPFIX collector and analyzer in our project.
> We need to collect and analyse some variable length fields like
> Application name exported by some exporters.
>
> I understand the collection part, and right now I am able to collect
> application name by changing skipfix.c (which has direct connection to
> libfixbuf)
>
> However I am confused regarding how to analyse the variable length field
> using Silk tools like rwfilter etc. For e.g. I think I need to make some
> changes in libsilk/skbag.c file in the bag_field_info[] array by specifying
> the number of octets each field will occupy. However I dont know how many
> octets my application field will contain since its variable length field.
> So how should I handle this variable length field for analysis? That is
> currently bag_field_info[] is like this
>
> static const bag_field_info_t bag_field_info[] = {
> { 4, "sIPv4"}, /* SKBAG_FIELD_SIPv4 */
> ......
> What value should I place here for the first member, in case of
> application name in the array?
>
> {<whatValueToPlace>,"appName,"} /* SKBAG_FIELD_APPNAME */
>
> Also how should I add the field (what datatype to use )in
> rwfilter/rwfiltercheck.c file in structure filter_checks_t and which
> parsing function to use in filterOptionsHandler?
>
> I would be really grateful if you can help me on this.
>
> Many many thanks in advance.
>
> Best Regards,
> Rima
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list