suricata/rust/src/lib.rs

/* Copyright (C) 2017-2021 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

//! Suricata is a network intrusion prevention and monitoring engine.
//!
//! Suricata is a hybrid C and Rust application. What is found here are
//! the components written in Rust.

#![cfg_attr(feature = "strict", deny(warnings))]

// Allow these patterns as its a style we like.
#![allow(clippy::needless_return)]
#![allow(clippy::let_and_return)]
#![allow(clippy::uninlined_format_args)]

// We find this is beyond what the linter should flag.
#![allow(clippy::items_after_test_module)]

// We find this makes sense at time.
#![allow(clippy::module_inception)]

// The match macro is not always more clear. But its use is
// recommended where it makes sense.
#![allow(clippy::match_like_matches_macro)]

// Something we should be conscious of, but due to interfacing with C
// is unavoidable at this time.
#![allow(clippy::too_many_arguments)]

// This would be nice, but having this lint enables causes
// clippy --fix to make changes that don't meet our MSRV.
#![allow(clippy::derivable_impls)]

// TODO: All unsafe functions should have a safety doc, even if its
// just due to FFI.
#![allow(clippy::missing_safety_doc)]

// Allow /// cbindgen:ignore comments on extern blocks
// cf https://github.com/mozilla/cbindgen/issues/709
#![allow(unused_doc_comments)]

// Allow unknown lints, our MSRV doesn't know them all, for
// example static_mut_refs.
#![allow(unknown_lints)]

// Allow for now, but need to be fixed.
#![allow(static_mut_refs)]

#[macro_use]
extern crate bitflags;
extern crate byteorder;
extern crate crc;
extern crate memchr;
extern crate lru;
#[macro_use]
extern crate num_derive;
extern crate widestring;

extern crate der_parser;
extern crate kerberos_parser;
extern crate tls_parser;
extern crate x509_parser;
extern crate ldap_parser;

#[macro_use]
extern crate suricata_derive;

#[macro_use]
pub mod log;

#[macro_use]
pub mod core;

#[macro_use]
pub mod common;
pub mod conf;
pub mod jsonbuilder;
#[macro_use]
pub mod applayer;
pub mod frames;
pub mod filecontainer;
pub mod filetracker;
pub mod kerberos;
pub mod detect;
pub mod utils;

pub mod ja4;

pub mod lua;

pub mod dns;
pub mod nfs;
pub mod ftp;
pub mod smb;
pub mod krb;
pub mod dcerpc;
pub mod modbus;

pub mod ike;
pub mod snmp;

pub mod ntp;
pub mod tftp;
pub mod dhcp;
pub mod sip;
pub mod rfb;
pub mod mqtt;
pub mod pgsql;
pub mod telnet;
pub mod websocket;
pub mod enip;
pub mod applayertemplate;
pub mod rdp;
pub mod x509;
pub mod asn1;
pub mod mime;
pub mod ssh;
pub mod http2;
pub mod quic;
pub mod bittorrent_dht;
pub mod plugin;
pub mod lzma;
pub mod util;
pub mod ffi;
pub mod feature;
pub mod sdp;
pub mod ldap;
pub mod flow;
pub mod direction;

#[allow(unused_imports)]
pub use suricata_lua_sys;
quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames 5 years ago			`/* Copyright (C) 2017-2021 Open Information Security Foundation`
rust: wrapper around C logging, and "context" Where the context is a struct passed from C with pointers to all the functions that may be called. Instead of referencing C functions directly, wrap them in function pointers so pure Rust unit tests can still run. 8 years ago			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

rust/doc: add docstring to rust module files. Issue: #4584 2 years ago			`//! Suricata is a network intrusion prevention and monitoring engine.`
			`//!`
			`//! Suricata is a hybrid C and Rust application. What is found here are`
			`//! the components written in Rust.`

rust: --enable-rust-strict to turn warnings into errors 8 years ago			`#![cfg_attr(feature = "strict", deny(warnings))]`

rust: don't allow fixed up clippy lints 3 years ago			`// Allow these patterns as its a style we like.`
			`#![allow(clippy::needless_return)]`
			`#![allow(clippy::let_and_return)]`
rust: allow uninlined_format_args Newer versions of Rust/clippy are getting picky about format strings. We should allow and use the new style, but also not prevent the old style. 3 years ago			`#![allow(clippy::uninlined_format_args)]`
rust: don't allow fixed up clippy lints 3 years ago
rust: allow clippy::items_after_test_module As clippy began to complain about jsonbuilder.rs 2 years ago			`// We find this is beyond what the linter should flag.`
			`#![allow(clippy::items_after_test_module)]`

rust/clippy: comments on why we have specific allows 3 years ago			`// We find this makes sense at time.`
			`#![allow(clippy::module_inception)]`
rust: allow some more clippy lints Allow these lints for now until some more investigation can be done, as --fix attempts to fix these. 3 years ago
rust/clippy: comments on why we have specific allows 3 years ago			`// The match macro is not always more clear. But its use is`
			`// recommended where it makes sense.`
rust(lint): suppress clippy lints that we should fix Suppress all remaining clippy lints that we trip. This can be fixed on a per-lint basis. 4 years ago			`#![allow(clippy::match_like_matches_macro)]`
rust/clippy: comments on why we have specific allows 3 years ago
			`// Something we should be conscious of, but due to interfacing with C`
			`// is unavoidable at this time.`
			`#![allow(clippy::too_many_arguments)]`

rust/clippy: allow derivable impls The latest Rust will automatically "fix" derivable default implementation, which is nice, but makes changes that don't meet our current MSRV, so allow derivable impls for now. 2 years ago			`// This would be nice, but having this lint enables causes`
			`// clippy --fix to make changes that don't meet our MSRV.`
			`#![allow(clippy::derivable_impls)]`

rust/clippy: comments on why we have specific allows 3 years ago			`// TODO: All unsafe functions should have a safety doc, even if its`
			`// just due to FFI.`
			`#![allow(clippy::missing_safety_doc)]`
rust: allow some clippy lints without warning Suppresses some clippy lints that have more to do with style than anything else, to reduce the amount of noise in the clippy output. 5 years ago
rust: compatibility with cbindgen 0.27 Ticket: 7206 Cbindgen 0.27 now handles extern blocks as extern "C" blocks. The way to differentiate them is to use a special comment before the block. 12 months ago			`// Allow /// cbindgen:ignore comments on extern blocks`
			`// cf https://github.com/mozilla/cbindgen/issues/709`
			`#![allow(unused_doc_comments)]`

rust: allow static_mut_refs for now But we should fix all these soon. 8 months ago			`// Allow unknown lints, our MSRV doesn't know them all, for`
			`// example static_mut_refs.`
			`#![allow(unknown_lints)]`

			`// Allow for now, but need to be fixed.`
			`#![allow(static_mut_refs)]`

protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions 6 years ago			`#[macro_use]`
			`extern crate bitflags;`
			`extern crate byteorder;`
rust/nfs: add (file)handle to log as crc32 8 years ago			`extern crate crc;`
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions 6 years ago			`extern crate memchr;`
smb: use lru for guid2name map; rename Use `lru` crate. Rename to reflect this. Add `app-layer.protocols.smb.max-guid-cache-size` to control the max size of the LRU cache. Ticket: #5672. 10 months ago			`extern crate lru;`
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions 6 years ago			`#[macro_use]`
			`extern crate num_derive;`
			`extern crate widestring;`
rust/nfs: add (file)handle to log as crc32 8 years ago
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5) 8 years ago			`extern crate der_parser;`
auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser. 7 years ago			`extern crate kerberos_parser;`
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions 6 years ago			`extern crate tls_parser;`
			`extern crate x509_parser;`
rust/ldap: implement types and filters This implementation adds types and filters specified in the LDAP RFC to work with the ldap_parser. Although using the parser directly would be best, strange behavior has been observed during transaction logging. It appears that C pointers are being overwritten, leading to incorrect output when LDAP fields are logged. 1 year ago			`extern crate ldap_parser;`
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5) 8 years ago
dns: use derive macro for DNSEvent 6 years ago			`#[macro_use]`
			`extern crate suricata_derive;`

rust: stub out logging from rust 8 years ago			`#[macro_use]`
			`pub mod log;`
rust: stub out configuration access functions 8 years ago
rust: dns: add log filtering on rrtype While the filtering is still configured in C, the filtering flags are passed into Rust so it can determine if a record should be logged or not. 8 years ago			`#[macro_use]`
rust: wrapper around C logging, and "context" Where the context is a struct passed from C with pointers to all the functions that may be called. Instead of referencing C functions directly, wrap them in function pointers so pure Rust unit tests can still run. 8 years ago			`pub mod core;`
rust: dns: add log filtering on rrtype While the filtering is still configured in C, the filtering flags are passed into Rust so it can determine if a record should be logged or not. 8 years ago
rust: add take_until_and_consume replacement function 6 years ago			`#[macro_use]`
			`pub mod common;`
rust: stub out configuration access functions 8 years ago			`pub mod conf;`
jsonbuilder: new module for generating json JsonBuilder is a Rust module for creating JSON output. Unlike Jansson, the final JSON string is built up as items are added, instead of building up an object tree and rendering it when done. The idea is to create a more efficient JSON serializer instead of a flexible one. 6 years ago			`pub mod jsonbuilder;`
rust/app-layer: macros to export de_state functions These macros generate the extern "C" functions for transactions structs that need provide functions for setting and getting the de_state. The idea is to provide macros do avoid code duplication and make it simpler to create an app-layer. A trait would be the correct solution, but it doesn't look like you can use traits to export extern "C" functions. 7 years ago			`#[macro_use]`
rust: use LoggerFlags type to track logged state 8 years ago			`pub mod applayer;`
app/frames: implement rust API 4 years ago			`pub mod frames;`
rust: filecontainer API Wrapper around Suricata's File and FileContainer API. Built around assumption that a rust owned structure will have a 'SuricataFileContainer' member that is managed by the C-side of things. 8 years ago			`pub mod filecontainer;`
rust: filetracker API Initial version of a filetracker API that depends on the filecontainer and wraps around the Suricata File API in C. The API expects chunk based transfers where chunks can be out of order. 8 years ago			`pub mod filetracker;`
auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser. 7 years ago			`pub mod kerberos;`
detect: rust generic functions for integers Move it away from http2 to generic core crate. And use it for DCERPC (and SMB) And remove the C version. Main change in API is the free function is not free itself, but a rust wrapper around unbox. Ticket: #4112 3 years ago			`pub mod detect;`
rust/base64: add decoder Add a pure rust base64 decoder. This supports 3 modes of operation just like the C decoder as follows. 1. RFC 2045 2. RFC 4648 3. Strict One notable change is that "strict" mode is carried out by the rust base64 crate instead of native Rust. This crate was already used for encoding in a few places like datasets of string type. As a part of this mode, now, only the strings that can be reliably converted back are decoded. The decoder fn is available to C via FFI. Bug 6280 Ticket 7065 Ticket 7058 1 year ago			`pub mod utils;`
rust: lua wrapper Rust wrapper for working with lua state. 8 years ago
ja4: implement for TLS and QUIC Ticket: OISF#6379 1 year ago			`pub mod ja4;`

rust: lua wrapper Rust wrapper for working with lua state. 8 years ago			`pub mod lua;`

rust: dns: nom DNS parsers 8 years ago			`pub mod dns;`
rust/nfs: NFSv3 parser, logger and detection 8 years ago			`pub mod nfs;`
app-layer-ftp: add ftp-data support Use expectation to be able to identify connections that are ftp data. It parses the PASV response, STOR message and the RETR message to provide extraction of files. Implementation in Rust of FTP messages parsing is available. Also this patch changes some var name prefixed by ssh to ftp. 8 years ago			`pub mod ftp;`
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5) 8 years ago			`pub mod smb;`
Add Kerberos 5 application layer 7 years ago			`pub mod krb;`
dcerpc: Replace C function calls with Rust All the dead code in C after the Rust implementation is hereby removed. Invalid/migrated tests have also been deleted. All the function calls in C have been replaced with appropriate calls to Rust functions. Same has been done for smb/detect.rs as a part of this migration. 5 years ago			`pub mod dcerpc;`
modbus: move from C to rust Adds a new rust modbus app layer parser and detection module. Moves the C module to rust but leaves the test cases in place to regression test the new rust module. 5 years ago			`pub mod modbus;`
Add NTP parser (rust-experimental) 8 years ago
ikev1: rename ikev2 to common ike Renaming was done with shell commands, git mv for moving the files and content like find -iname '*.c' \| xargs sed -i 's/ikev1/ike/g' respecting the different mixes of upper/lower case. 5 years ago			`pub mod ike;`
Add SNMP (v1/v2c/v3) application layer 7 years ago			`pub mod snmp;`
Add new parser: IKEv2 Add a new parser for Internet Key Exchange version (IKEv2), defined in RFC 7296. The IKEv2 parser itself is external. The embedded code includes the parser state and associated variables, the state machine, and the detection code. The parser looks the first two messages of a connection, and analyzes the client and server proposals to check the cryptographic parameters. 8 years ago
Add NTP parser (rust-experimental) 8 years ago			`pub mod ntp;`
rust/tftp: add tftp parsing and logging TFTP parsing and logging written in Rust. Log on eve.json the type of request (read or write), the name of the file and the mode. Example of output: "tftp":{"packet":"read","file":"rfc1350.txt","mode":"octet"} 8 years ago			`pub mod tftp;`
rust/dhcp: Rust based DHCP decoder and logger. This is a DHCP decoder and logger written in Rust. Unlike most parsers, this one is stateless so responses are not matched up to requests by Suricata. However, the output does contain enough fields to match them up in post-processing. Rules are included to alert of malformed or truncated options. 7 years ago			`pub mod dhcp;`
rust/sip: add parser for SIP protocol 7 years ago			`pub mod sip;`
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation. 6 years ago			`pub mod rfb;`
rust/mqtt: add MQTT parser 5 years ago			`pub mod mqtt;`
pgsql: add initial support - add nom parsers for decoding most messages from StartupPhase and SimpleQuery subprotocols - add unittests - tests/fuzz: add pgsql to confyaml Feature: #4241 4 years ago			`pub mod pgsql;`
telnet: initial support with frames Bootstrapped using setup script. Basic option parsing for purpose of tagging frames. 4 years ago			`pub mod telnet;`
app-layer: websockets protocol support Ticket: 2695 2 years ago			`pub mod websocket;`
enip: convert to rust Ticket: 3958 - transactions are now bidirectional - there is a logger - gap support is improved with probing for resync - frames support - app-layer events - enip_command keyword accepts now string enumeration as values. - add enip.status keyword - add keywords : enip.product_name, enip.protocol_version, enip.revision, enip.identity_status, enip.state, enip.serial, enip.product_code, enip.device_type, enip.vendor_id, enip.capabilities, enip.cip_attribute, enip.cip_class, enip.cip_instance, enip.cip_status, enip.cip_extendedstatus 2 years ago			`pub mod enip;`
rust: app-layer template parser and logger The protocol is a simple request/reply based protocol that can be hand driven with netcat. Request -> 12:Hello World! Response -> 3:Byte Its of the format <length>:<message> where length is the length of the message, not including the length or the delimiter. 7 years ago			`pub mod applayertemplate;`
protocol parser: rdp Initial implementation of feature 2314: 1. Add protocol parser for RDP 2. Add transactions for RDP negotiation 3. Add eve logging of transactions 6 years ago			`pub mod rdp;`
ssl/tls: use the rust decoder to decode X.509 certificates 5 years ago			`pub mod x509;`
rust/asn1: Introduce ASN1 rust module This module uses the `der-parser` crate to parse ASN1 objects in order to replace src/util-decode-asn1.c It also handles the parsing of the asn1 keyword rules and detection checks performed in src/detect-asn1.c 5 years ago			`pub mod asn1;`
mime: move FindMimeHeaderTokenRestrict to rust Also fixes the case where the token name is present in a value 4 years ago			`pub mod mime;`
parse: move SSH parser from C to Rust 5 years ago			`pub mod ssh;`
http2: initial support 5 years ago			`pub mod http2;`
quic: Add QUIC App Layer Parses quic and logs a CYU hash for gquic frames 5 years ago			`pub mod quic;`
bittorrent-dht: add bittorrent-dht app layer Parses and logs the bittorrent-dht protocol. Note: Includes some compilation fixups after rebase by Jason Ish. Feature: #3086 5 years ago			`pub mod bittorrent_dht;`
rust/util: expose function to test strings for valid UTF-8 rs_check_utf8 will check that the provided string is valid UTF-8 by converting it to a Rust string and returning true or false. 5 years ago			`pub mod plugin;`
file/swf: Use lzma-rs decompression instead of libhtp. Use the lzma-rs crate for decompressing swf/lzma files instead of the lzma decompressor in libhtp. This decouples suricata from libhtp except for actual http parsing, and means libhtp no longer has to export a lzma decompression interface. Ticket: #5638 3 years ago			`pub mod lzma;`
rust/util: expose function to test strings for valid UTF-8 rs_check_utf8 will check that the provided string is valid UTF-8 by converting it to a Rust string and returning true or false. 5 years ago			`pub mod util;`
rust: add ffi module for sha256, sha1 and md5 Add a Rust module that exposes Rust implementations of sha256, sha1 and md5 from the RustCrypto project. This is an experiment in replacing the libnss hash functions with pure Rust versions that will allow us to remove nss as a compile time option. Initial tests are good, even with a 10% or so performance improvement when being called from C. Also trying a module naming scheme where modules under the ffi modules are purely for exports to C, as it doesn't make any sense to use this new hashing module directly from Rust. 5 years ago			`pub mod ffi;`
feature: provide a Rust binding to the feature API As the feature module is not available for Rust unit tests, a mock version is also provided. 2 years ago			`pub mod feature;`
rust/sdp: implement protocol parser This implements a parser for the SDP protocol. Given that SDP is encapsulated within other protocols (such as SIP), enabling it separately is not necessary. Ticket #6627. 1 year ago			`pub mod sdp;`
rust/ldap: implement types and filters This implementation adds types and filters specified in the LDAP RFC to work with the ldap_parser. Although using the parser directly would be best, strange behavior has been observed during transaction logging. It appears that C pointers are being overwritten, leading to incorrect output when LDAP fields are logged. 1 year ago			`pub mod ldap;`
rust/flow: move flow support to its own file (cleanup) Move the Rust Flow support from core.rs to flow.rs. 6 months ago			`pub mod flow;`
rust/direction: move direction to own file (cleanup) Move the implementation of Direction to its own file, direction.rs. 6 months ago			`pub mod direction;`
lua: use rust crate to vendor (bundle) lua Remove lua-dev(el) from all CI tests. 1 year ago
			`#[allow(unused_imports)]`
			`pub use suricata_lua_sys;`