Question about new buffer detection calling rust code

hxndghxndg · February 24, 2024, 4:18pm

hello, everyone

I want to add a new app layer iot protocol into suricata code, use the scripts/setup-app-layer.py, with two different buffer added.

After use it, I found these two different detect code get the data by share same rust function ‘rs_new_iot_get_request_buffer’ & ‘rs_new_iot_get_response_buffer’,

My question stands : should I change the default ‘rs_new_iot_get_request_buffer’ function to some ‘rs_new_iot_get_request_buffer1’/‘rs_new_iot_get_request_buffer2’, and retrive the real related iot message part to inspect?

If not, what is the suitable way not to do that?

I check the document of detection(27.4.4. Detection — Suricata 8.0.0-dev documentation) , but find nothing, is there any other guidence?

Thank u !

hxndghxndg · March 13, 2024, 1:11pm

I write different rust get buffer code, seems it do work

ish · March 13, 2024, 2:39pm

Yes, these are just templates with an idea of how you might write your own. It is intended to replace them. There are lots of examples in the existing parsers. But it looks like you figured it out.

Topic		Replies	Views
Some questions about add new app layer protocol Help	1	1136	January 6, 2022
S7 Protocol Developing Developers	4	1339	October 5, 2020
Writing a signature for multiple conditions Rules	3	907	November 25, 2021
Analyze Data packet with PythonScript with Lua Rules Help ips , rules , suricata , lua	1	270	August 5, 2023
Cannot get srcip from the packet buffer in LUA detection script Rules ips , lua	1	241	April 4, 2023

Question about new buffer detection calling rust code

Related Topics