My project consists on adding a proprietary Protocol to suricata. After writing and testing the protocol’s parser, I then moved to writting the Rust register to be able to use it directly from suricata. However, I’m facing various understanding difficulties :
- Firstly, is the logger.rs and the log.rs define the result log in the return of the suricata command eve.json or fast.log?
- The network protocol I’m working on, uses different states, where I must verify them from a state table, and if not well structured make it possible to drop or alert via suricata. Hence, is it a rule or should I write it in the rust code??
- Is there anyway to be able to work with suricata using rust code as a dynamic library ? (I’ve thinking of rusticata and if it’s possible to add protocols to it)
Any help would be awesome !
I can detail my difficulties if necessary