Guide to create a new protocol in rust from scratch

Norbby · September 18, 2021, 1:13pm

Hi,

Do you know if there is a guide or tutorial on how to create a new protocol in rust from scratch ?
I’m having trouble finding info and don’t know where to start.

Thank you

Jeff_Lucovsky · September 19, 2021, 12:16pm

Hi,

There’s a helper script to create the template files.

In the top level directory, use

python scripts/app-layer.py --rust NewProtocolName

jufajardini · September 20, 2021, 8:19am

Hello!

What Jeff said has worked well for me. I’ve used it to “kickstart” PostgreSQL in Rust, in Suri, and it can give you most of what you need, to move around, with something that will run from the start (you can run the script, then run Suri in pcap mode to read the pcap that you find in the same folder, and you’ll see messages parsed and logged - suricata/rust/src/applayertemplate at master · OISF/suricata · GitHub). From there, you can move on and just add up and modify the template structure, when needed.

After running that, what I did was to define a small portion of the protocol that I would cover, to be my MVP, and wrote the nom parsers (and their unit tests); then integrated those in the main loop for parsing request and response (if you follow the template, those will be in the file corresponding to template.rs), then again more unittests for those loops, and kept adding to those. When I had enough messages parsed, I was able to address transactions and parser state, and then I moved on to add the logger, so we could see all the parsed events in eve.json.

In the template.rs file there is a function called rs_template_register_parser which is the responsible for registering all callbacks that Suricata API needs. Understanding this was quite important for me to get a better sense of the whole picture, and how everything would integrate:

github.com

OISF/suricata/blob/master/rust/src/applayertemplate/template.rs#L501

    
      
              }
              return 0;
          }
          
          
export_tx_data_get!(rs_template_get_tx_data, TemplateTransaction);
          
          
// Parser name as a C style string.
          const PARSER_NAME: &'static [u8] = b"template-rust\0";
          
          
#[no_mangle]
          pub unsafe extern "C" fn rs_template_register_parser() {
              let default_port = CString::new("[7000]").unwrap();
              let parser = RustParser {
                  name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
                  default_port: default_port.as_ptr(),
                  ipproto: IPPROTO_TCP,
                  probe_ts: Some(rs_template_probing_parser),
                  probe_tc: Some(rs_template_probing_parser),
                  min_depth: 0,
                  max_depth: 16,
                  state_new: rs_template_state_new,

Not sure if this is all too basic and detailed, or too much information at once, but I hope it can give you some better understanding on how to benefit from the script Jeff has mentioned

Norbby · September 22, 2021, 8:38pm

Thank you @jufajardini and @Jeff_Lucovsky for your answers. I will follow your advice

Topic		Replies	Views
Adding a new protocol to suricata in rust Developers	4	1991	July 28, 2020
Enrichment for Application layer protocol related events Rules rules	2	768	August 4, 2021
Can I rename Suricata fields in Eve.json. And where I can get all possible fields Help	4	700	January 2, 2022
How to create a separate eve.json for each processed pcap file? Help	18	1704	December 19, 2022
Can I use a Suricata IDS alert to trigger some python code? Help	6	1662	July 18, 2020

Guide to create a new protocol in rust from scratch

Related Topics