<div dir="ltr"><div><div>Thanks! I think I'll start with BGP because that one is particularly interesting to me. I've got a nom-based IPFIX parser that has been stable in production and has some basic tests, but after reading that link, I'm interested to see if I can break it with a fuzzer.<br><br></div>I'll let you know if I need any help. Thanks again!<br><br></div>Nick<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 19, 2017 at 3:30 AM, Pierre Chifflier <span dir="ltr"><<a href="mailto:chifflier@wzdftpd.net" target="_blank">chifflier@wzdftpd.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 06/18/2017 04:53 PM, Nick Price wrote:<br>
> I'm interested in hacking on some of the new Rust stuff in Suricata.<br>
> What's on the to-do list? I have experience using the Nom crate to<br>
> decode protocols based on RFC if there are more protocols that need to<br>
> be implemented or if more work needs to be done on existing ones.<br>
><br>
<br>
</span>Hi Nick,<br>
<br>
<br>
There are different kind of (developing) actions that can help:<br>
1. writing the raw parsers for the different protocols<br>
2. integrate them, and add the verification/detection logic<br>
<br>
For 1, there is a large choice of protocols, depending on what you know<br>
best, and the difficulty of the protocol: some of them are interesting<br>
but quite hard: SIP, RDP, Kerberos, etc. Starting with something simpler<br>
may be easier. Some other random names: BGP, IoT protocols, Messaging, etc.<br>
The Suricata team may have some good protocols names in mind, too.<br>
<br>
I have started a few of them as independent projects here:<br>
<a href="https://github.com/rusticata" rel="noreferrer" target="_blank">https://github.com/rusticata</a><br>
Some of them are incomplete and require more code and tests: SNMP<br>
(because of the interactions with BER), or IKEv2, almost complete but<br>
requires more testing. Support parsers like DER and X.509 will take some<br>
time to complete.<br>
I also intend to add DTLS to the rust tls-parser.<br>
<br>
My advice, if adding a new protocol, would be to first write it as<br>
independent rust code and use the unit tests and fuzzing tools to test it.<br>
You can find a tutorial on writing and testing the parsers here:<br>
<a href="https://github.com/Geal/langsec-2017-hackathon-code" rel="noreferrer" target="_blank">https://github.com/Geal/<wbr>langsec-2017-hackathon-code</a><br>
<br>
If you need some help, I'd be happy to help (plx on #suricata).<br>
<br>
Regards,<br>
Pierre<br>
</blockquote></div><br></div>