Hi,
Do you know if there is a guide or tutorial on how to create a new protocol in rust from scratch ?
I’m having trouble finding info and don’t know where to start.
Thank you
Hi,
Do you know if there is a guide or tutorial on how to create a new protocol in rust from scratch ?
I’m having trouble finding info and don’t know where to start.
Thank you
Hi,
There’s a helper script to create the template files.
In the top level directory, use
python scripts/app-layer.py --rust NewProtocolName
Hello!
What Jeff said has worked well for me. I’ve used it to “kickstart” PostgreSQL in Rust, in Suri, and it can give you most of what you need, to move around, with something that will run from the start (you can run the script, then run Suri in pcap mode to read the pcap that you find in the same folder, and you’ll see messages parsed and logged - suricata/rust/src/applayertemplate at master · OISF/suricata · GitHub). From there, you can move on and just add up and modify the template structure, when needed.
After running that, what I did was to define a small portion of the protocol that I would cover, to be my MVP, and wrote the nom
parsers (and their unit tests); then integrated those in the main loop for parsing request and response (if you follow the template, those will be in the file corresponding to template.rs
), then again more unittests for those loops, and kept adding to those. When I had enough messages parsed, I was able to address transactions and parser state, and then I moved on to add the logger, so we could see all the parsed events in eve.json
.
In the template.rs
file there is a function called rs_template_register_parser
which is the responsible for registering all callbacks that Suricata API needs. Understanding this was quite important for me to get a better sense of the whole picture, and how everything would integrate:
Not sure if this is all too basic and detailed, or too much information at once, but I hope it can give you some better understanding on how to benefit from the script Jeff has mentioned
Thank you @jufajardini and @Jeff_Lucovsky for your answers. I will follow your advice