Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Applayer plugin 5053 v7 #12448

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Applayer plugin 5053 v7 #12448

wants to merge 6 commits into from

Conversation

catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Jan 22, 2025
edited
Loading

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/4102 with all 6 subtickets

Describe changes:

  • add app-layer plugin example with template protocol
  • document app-layer plugins

@jufajardini what do you think about the doc ?

@jasonish as you created the tickets, is this what you expected ?

Follows #12441

Draft: Commit POC: suricata-plugin crate is a POC to discuss

I think we want

  • pure rust app-layer plugins, that look like one app-layer code in Suricata
  • plugins can import somehow from Suricata :
    • type definitions like AppProto,
    • constants like ALPROTO_UNKNOWN,
    • enum like AppLayerEventType::APP_LAYER_EVENT_TYPE_TRANSACTION
    • Struct definitions like SCAppLayerPlugin
    • Opaque definitions like Flow (for better code readability of callbacks)
    • Suricata C functions to use like `AppLayerRegisterProtocolDetection

Alternatives are

  • plugin redefines all these in some suricata.rs file : works but not nice
  • plugin has a dependency on Suricata crate : not sure it works, but not nice as well as it makes the plugin compile the 200 dependencies of Suricata
  • plugin has a dependency on a light (0 dependency) Suricata plugin crate, whose code gets somehow generated from Suricata rust code

@jasonish

  • Is the problem well established this way ?
  • Do you see other alternatives ?
  • Is the last alternative looking the best to you as well ? (suricata plugin crate with code that gets generated from Suricata rust code)

@catenacyber
template: rustfmt
7cc3665 
and use generic logger callback prototype with later cast
@catenacyber
smb: limits rust visibility for statuses
800ebd1 
and rustfmt
@catenacyber
rust: make some constants exportable by cbindgen
5226414 
by not using macro
@catenacyber
POC: suricata-plugin crate
dc16848
@catenacyber
plugin: add in-tree app-layer template plugin for testing
22b627b 
Ticket: 7151
Ticket: 7152
Ticket: 7154
@catenacyber
plugins: document app-layer plugins
4c46a0b 
Ticket: 7149
Ticket: 7150
Ticket: 7153
@catenacyber catenacyber mentioned this pull request Jan 22, 2025
Closed
@catenacyber
Copy link
Contributor Author

Maybe I should emphasize that plugin code and Suricata code must be well separated and only communicate through the lingua-franca C API

@catenacyber
Copy link
Contributor Author

Talking with Jason, he thinks the second alternative is better...

I will give it a shot, limiting my time on it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

@jasonish jasonish Awaiting requested review from jasonish jasonish will be requested when the pull request is marked ready for review jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini will be requested when the pull request is marked ready for review jufajardini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
skip qa
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@catenacyber