search

haka-security / haka

Haka runtime
http://haka-security.org
Mozilla Public License 2.0
445 stars 65 forks source link

Program a new dissector and hook #2

Closed HRonan closed 10 years ago

HRonan commented 10 years ago

Hi,

I want to test the development of new dissector in Haka, so I tried to code a simple dissector in lua like the http dissector but for ssh. Yet, it was a partial success because the -up and down seem to work (I see them when I test my code with a pcap in debug mode). But I don't know how and where my custom hooks can be called.

This is a part of my code

local module = {}

haka.dissector { name = "ssh", hooks = { "ssh-test" }, dissect = function (stream)

    if not stream.connection.data._ssh then
        local ssh = {}
        ssh.dissector = "ssh"
        ssh.next_dissector = nil
        ssh.valid = function (self)
            return self._tcp_stream:valid()
        end
        ssh.drop = function (self)
            return self._tcp_stream:drop()
        end
        ssh.forge = function (self)
            ssh._tcp_stream = nil
            return ssh._tcp_stream
        end

        ssh.connection = stream.connection
        stream.connection.data._ssh = ssh
    end

    local ssh = stream.connection.data._ssh
    ssh._tcp_stream = stream

} return module

(Sorry for the formatting)

I supposed this code is like a squeleton of a dissector which use stream.

But my major issue is to execute a part of code only for the hook 'ssh-test' and how call him. So where i suppose to programm the ssh-test hook?

Thank you.

psdesse commented 10 years ago

Hi,

You can check the code for the http dissector. We have custom hooks like the one you want to define.

if not haka.rule_hook("http-".. name, http) then
    return nil
end

This is the example for http. In your case you have to call the function haka.rule_hook(hook_name, ).

If you are working with dissector, you might to check the develop branch. We have reworked and improved a lot the dissector part.

HRonan commented 10 years ago

I had tested to include this function haka.rule_hook but without a full success. But I didn't know that the code of dissectors will be fully reorganized. I will examine the develop branch.

Thank you.

HRonan commented 10 years ago

I am trying the develop branch of haka, and I noticed a little issue with git submodule init and git submodule update. The urls in .gitmodule seemed to be wrong because my submodule update failed (it may be the configuration of my network which raises an issue with git:// urls).

So I modified urls and the git submodule commands have been executed without error:

[submodule "external/sphinx-lua"] path = external/sphinx-lua url = https://github.com/redjack/sphinx-lua.git [submodule "external/iniparser/src"] path = external/iniparser/src url = https://github.com/ndevilla/iniparser.git [submodule "external/lua/src"] path = external/lua/src url = https://github.com/haka-security/lua.git [submodule "external/luajit/src"] path = external/luajit/src url = http://luajit.org/git/luajit-2.0.git [submodule "external/luaunit/src"] path = external/luaunit/src url = https://github.com/bluebird75/luaunit.git

psdesse commented 10 years ago

Thanks for the feedback. We will change our paths to prefer https over git.

psdesse commented 10 years ago

We have changed it : 133e44293b73891924cfbaa201a1813a6e83cace. It is possible if needed to replace those uri using the global .gitconfig if needed.