aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
main-8.0.x
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a1c4167d94'
${ noResults }
suricata/doc/userguide/devguide/extending/app-layer/overview.rst

106 lines
4.1 KiB
ReStructuredText
Raw Blame History

Application Layer Overview
##########################
.. contents:: Table of Contents
This section aims to give an overview of what is needed to add
an application-layer protocol to Suricata.
After a generic first step of collecting data about this application-layer protocol,
especially pcaps for testing, we can dive into the Suricata specifics.
An application-layer protocol has three logic components in Suricata:
- parser
- logger
- detecting keywords
Both detection engine and logger will depend on the processing done by the parser.
For security reasons, we now develop application-layer protocol code
only in Rust and not in C.
The script ``scripts/setup-app-layer.py`` may help you get started for adding
a new app-layer protocol.
Parser
******
The parser is described by an instance of the structure ``RustParser``.
A parser has:
- a name (where it is better to avoid dashes)
- an ipproto (if an app-layer is both over UDP and TCP, it needs to be registered with 2 RustParser)
- flags: only one flag ``APP_LAYER_PARSER_OPT_ACCEPT_GAPS``
- some app-layer detection logic see :ref:`Protocol detection`.
- some logic around (one) State and (one) Transaction structures
- some stringer functions (frames, events)
So each app-layer protocol needs to define two structures: one State and one Transaction.
A State will live throughout the flow (or until there is a protocol change in the flow).
As such, it is useful to retain data that needs such a scope (for example HTTP2 dynamic headers table).
And it is also useful if the parsing uses a state-machine logic, for example for file streaming.
A State will own a list of :doc:`transactions`.
Transactions
============
Transactions are the basic logical unit used by Suricata for an application-layer protocol.
The big decision is how to assemble PDUs into a transaction.
Simplest design is to have one transaction per PDU (like DNS).
But it may add value for example to combine request and response into a single transaction
(like HTTP).
The ``RustParser`` structure contains callbacks to parse network traffic in both directions.
These callbacks will create the transactions.
For protocols over TCP, this callback has to loop as one callback may run for a network traffic
containing multiple PDUs, and thus resulting in the creation of multiple transactions.
.. note:: If a protocol may have multiple long-lived transactions, it is good to enforce limits
on the number of live transactions, and bound any other data owned by the State.
In case of parsing anomalies, a transaction can set anomaly events, which are specific
to the application-layer protocol. There is currently no good standardized way to have
this kind of event outside transactions.
Gap support
===========
It is good to develop an app-layer support first without gap support,
then improve it by adding gap support.
Pcaps for testing can be created by removing some packets in previous testing pcaps.
After adding the flag ``APP_LAYER_PARSER_OPT_ACCEPT_GAPS``, a generic way to handle this is:
- add two booleans to the State, like request_gap and response_gap
- have the parsing functions set these booleans ``if stream_slice.is_gap()``
- have the parsing functions test these booleans, and try to resync with a beginning of a PDU
.. note:: This generic best-effort approach is vulnerable to request/response smuggling.
Another less generic approach is to handle gaps only in the case the gap happens
in the middle of a known-length PDU (like HTTP1 content-length).
Logger
******
Besides the logging function, the logger also has a direction which may be
either ``LOG_DIR_PACKET`` or ``LOG_DIR_FLOW``.
UDP unidirectional transactions will be better interpreted using ``LOG_DIR_PACKET``
while TCP transactions are usually better interpreted using ``LOG_DIR_FLOW``.
The logging function returns a boolean which must be false if there is nothing to log,
for example if the resulting json object is empty.
Support for application-layer specific logging options is not yet standardized,
especially for alerts.
Detection engine
****************
A simple callback should register the keywords matching the log output fields.
Reference in New Issue View Git Blame Copy Permalink