Adding a new protocol to suricata in rust

gemini-15 · July 9, 2020, 2:15pm

Hi everyone,

My project consists on adding a proprietary Protocol to suricata. After writing and testing the protocol’s parser, I then moved to writting the Rust register to be able to use it directly from suricata. However, I’m facing various understanding difficulties :

Firstly, is the logger.rs and the log.rs define the result log in the return of the suricata command eve.json or fast.log?
The network protocol I’m working on, uses different states, where I must verify them from a state table, and if not well structured make it possible to drop or alert via suricata. Hence, is it a rule or should I write it in the rust code??
Is there anyway to be able to work with suricata using rust code as a dynamic library ? (I’ve thinking of rusticata and if it’s possible to add protocols to it)

Any help would be awesome !
I can detail my difficulties if necessary

Yassine

vjulien · July 10, 2020, 8:05am

Currently the Rust logging code still needs a bit of a C “glue”. I would suggest having a look at the ssh implementation as an example. There is output-json-ssh.c which calls the rust code:

    jb_open_object(js, "ssh");
    if (!rs_ssh_log_json(txptr, js)) {
        goto end;
    }
    jb_close(js);

The simplest thing would be to create “events”. The detection engine can then either drop or alert on these events. For ssh, events are defined here:

github.com

OISF/suricata/blob/master/rust/src/ssh/ssh.rs#L35


      
          static mut ALPROTO_SSH: AppProto = ALPROTO_UNKNOWN;
          static HASSH_ENABLED: AtomicBool = AtomicBool::new(false);
          
          fn hassh_is_enabled() -> bool {
              HASSH_ENABLED.load(Ordering::Relaxed)
          }
          
          #[derive(AppLayerEvent)]
          pub enum SSHEvent {
              InvalidBanner,
              LongBanner,
              InvalidRecord,
              LongKexRecord,
          }
          
          #[repr(u8)]
          #[derive(Copy, Clone, PartialOrd, PartialEq, Eq)]
          pub enum SSHConnectionState {
              SshStateInProgress = 0,
              SshStateBannerWaitEol = 1,
              SshStateBannerDone = 2,

Not the complete implementation at this point, but you can see examples of parsers that rely on an external crate, like the krb5 parser. We are working on plugin support, but that isn’t ready yet. See:

gemini-15 · July 28, 2020, 11:42am

Thank you very much for your remarks, it really helped a lot. I’ve understood the C “glue” code to add, I was wondering however, how can I specify the range of sid (similarly to what is available for other existing protocols defined here : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer) for my new protocol.

vjulien · July 28, 2020, 11:58am

If you plan to submit your protocol for inclusion we can define a range for the protocol. This list is only for protocol implementations included in the Suricata as we ship it.

If you don’t plan to submit it for inclusion I would suggest choosing a different range to avoid future sid collisions.

gemini-15 · July 28, 2020, 11:59am

Understood! Thanks for everthing !

Topic		Replies	Views
Adding new protocol to suricata with rust Developers	13	2017	March 19, 2021
Guide to create a new protocol in rust from scratch Developers	3	947	September 22, 2021
Enrichment for Application layer protocol related events Rules rules	2	868	August 4, 2021
Add new private protocol	4	338	December 23, 2023
Rules and log files	1	1027	November 28, 2023

Adding a new protocol to suricata in rust

Related topics