Question about new buffer detection calling rust code

hxndghxndg · February 24, 2024, 4:18pm

hello, everyone

I want to add a new app layer iot protocol into suricata code, use the scripts/setup-app-layer.py, with two different buffer added.

After use it, I found these two different detect code get the data by share same rust function ‘rs_new_iot_get_request_buffer’ & ‘rs_new_iot_get_response_buffer’,

My question stands : should I change the default ‘rs_new_iot_get_request_buffer’ function to some ‘rs_new_iot_get_request_buffer1’/‘rs_new_iot_get_request_buffer2’, and retrive the real related iot message part to inspect?

If not, what is the suitable way not to do that?

I check the document of detection(27.4.4. Detection — Suricata 8.0.0-dev documentation) , but find nothing, is there any other guidence?

Thank u !

hxndghxndg · March 13, 2024, 1:11pm

I write different rust get buffer code, seems it do work

ish · March 13, 2024, 2:39pm

Yes, these are just templates with an idea of how you might write your own. It is intended to replace them. There are lots of examples in the existing parsers. But it looks like you figured it out.

Topic		Replies	Views
Some questions about add new app layer protocol Help	1	1314	January 6, 2022
Adding a new protocol to suricata in rust Developers	4	2180	July 28, 2020
Guide to create a new protocol in rust from scratch Developers	3	947	September 22, 2021
Adding new protocol to suricata with rust Developers	13	2017	March 19, 2021
How to leverage Suricata app layer inspection Developers	2	297	October 7, 2023

Question about new buffer detection calling rust code

Related topics