chifflier at wzdftpd.net
Mon Jun 19 07:30:54 UTC 2017
On 06/18/2017 04:53 PM, Nick Price wrote:
> I'm interested in hacking on some of the new Rust stuff in Suricata.
> What's on the to-do list? I have experience using the Nom crate to
> decode protocols based on RFC if there are more protocols that need to
> be implemented or if more work needs to be done on existing ones.
There are different kind of (developing) actions that can help:
1. writing the raw parsers for the different protocols
2. integrate them, and add the verification/detection logic
For 1, there is a large choice of protocols, depending on what you know
best, and the difficulty of the protocol: some of them are interesting
but quite hard: SIP, RDP, Kerberos, etc. Starting with something simpler
may be easier. Some other random names: BGP, IoT protocols, Messaging, etc.
The Suricata team may have some good protocols names in mind, too.
I have started a few of them as independent projects here:
Some of them are incomplete and require more code and tests: SNMP
(because of the interactions with BER), or IKEv2, almost complete but
requires more testing. Support parsers like DER and X.509 will take some
time to complete.
I also intend to add DTLS to the rust tls-parser.
My advice, if adding a new protocol, would be to first write it as
independent rust code and use the unit tests and fuzzing tools to test it.
You can find a tutorial on writing and testing the parsers here:
If you need some help, I'd be happy to help (plx on #suricata).
More information about the Oisf-devel