Hello everyone, I have learned how to add a protocol parser through the posts and documents of the members of the suricata development team.
Yes, rust is used. But what I don’t understand is whether the entire protocol detection uses C->rust? For example, suricata 8.X has added the pop3 protocol, but I found that it doesn’t have the functionality of filestore. Maybe it hasn’t started development yet. Then my question is, if this functionality is to be implemented, is it completely based on rust or still using the C language?
Just like this:
Its detection is not perfect 0.0
if response.status == sawp_pop3::Status::OK && tx.request.is_some() {
let command = tx.request.as_ref().unwrap();
match &command.keyword {
sawp_pop3::Keyword::STLS => {
unsafe {
AppLayerRequestProtocolTLSUpgrade(flow);
};
}
sawp_pop3::Keyword::RETR => {
// Don't hold onto the whole email body
// TODO: pass off to mime parser
response.data.clear();
}
_ => {}
}
}
And what I also want to ask is, even if the current rust parser implements the extraction of file streams, can the rust parser implement the caching of file streams? It seems that rust is currently only used as a tool for parsing data packets? In this case, the md5 calculation or saving of the file cannot be achieved.
I hope to receive an answer from the suricata team. Thank you very much.