I am a new suricata user. I want to add a new app layer protocol, SOME/IP, a protocol use in vehicle which base on UDP. So I run “python scripts/setup-app-layer.py Someip”, and I got many files。Firstly, I programming SomeipProbingParser function and SomeipParseRequest function in “app-layer-someip.c” according to the content of “app-layer-modbus.c”, it worked correctly.
But i don’t know what i should do next?
- modbus protol have a file “detect-modbus.c”, but “python scripts/setup-app-layer.py Someip” does not generte a file likely “detect-someip.c”,should I add it?
2.After the packet is probed and parsed, the next step will be sent to “detect-someip.c”? Should I add a “someip-events.rules”?And what is the first test rule I should add that will facilitate testing?
Has anyone done similar work, can you provide some help to me ?
Thank you very much.
Really sorry for letting this unanswered for so long, I hope you have been able to find answers to your questions, but still want to give some direction here, in case anyone else finds this topic.
- If you want to be able to write rules and detect on specific fields of your new protocol, then, yes, a detection module will be needed; the
setup-app-layer script that you’ve used would create such files if the argument
--detect is passed.
- In general, before adding detection capabilities to a parser, we add a logger to it (see also Adding a new protocol to suricata in rust). There are two reasons for this: i) it allows us to have Suricata-verify tests, which will test the parser functioning as a whole and help with refactoring and improving; ii) Suricata is already capable of generating a lot of useful data just from the outputs, regardless of having a detection module - so this tends to come first. As for a rule for testing, I am not a rule writer, but I suppose that you could try out something like:
alert yourapplayer any any -> any any (msg:"Test: new applayer detected"; sid: 1; rev: 1;)
And you can define sticky buffers for detection, which then would allow you to check for specific content in your messages.
I have also answered a related question a few months ago: Adding new protocol to suricata with rust - #10 by Robullo Although this talks about Rust, I think the steps would be the same for both languages, mostly.
A couple of other things I think are worth mentioning:
- if you would want this to be considered as an official addition to Suricata, the process would also involve reaching out here in the forum so the maintaining team and the community could discuss and agree with that, first;
- we are moving towards writing protocols in Rust, as much as possible, so it is important to consider that if you have further similar work in mind
Hope this can be useful for anyone out there, and wishing that you have managed to successfully finish your project!