I’m starting to develop a new AppLayer in C, based on the s7 protocol.
I would like to know if there is any specific documentation about the functions to be used and their corresponding explanation.
I have found the following documentation: https://doxygen.openinfosecfoundation.org/index.html
But I don’t know if there is any other more complete documentation or some example codes with the functions to be used.
Any help is welcome as I’m just starting out on this.
This is a lack of documentation on getting started with a new protocol parser at this time. The best documentation will be a parser that is somewhat similar, and we do have some scripts to help you get started.
To get started with a C based parser you could run the following command:
this will dump a bunch of templates out as well as wire them into the engine. You could then update the
app-layer-s7.c, rebuild and run Suricata over an s7 pcap and you should see some debug output from the new template skeleton as it uses TCP by default, which S7 is as well.
Modbus and DNP3 are 2 other TCP protocols written in C that may provide some reference as well.
Thank you for your answer, it has been very helpful for me.
Now I’m taking a look of the Modbus Parser and I’ve seen Unittests.
Are these for testing parts of the code or for creating bugs and generating alerts ?
Is there any information about it ?
Unittests are for testing code (not for creating bugs/alerts). We generally advise that code be tested with
suricata-verify tests, if possible.
Sometimes a unittest is more appropriate if the functionality can not be properly tested with
suricata-verify, however. There may be internal conditions that are not externally testable.
To use Suricata’s unit tests
- Configure Suricata and include
- Execute all unittests with
- Execute selected unittests:
suricata -u -U modbus
I’d also add that if looking at existing parsers, some of the unit tests are a little beyond unittests. For newer parsers I’d take the more classic approach to unit tests (just test the functions in the parser), and then use Suricata-Verify tests for pcaps for more end-to-end tests.
For now, more of the Rust parsers work this way, as they are the newer parsers. One thing to have a unit test for would be each parser function, that actually takes in raw bytes and returns from structured data.