8036202c7b
This parser rewrites the DCE/RPC protocol implementation of Suricata in Rust. More tests have been added to improve the coverage and some fixes have been made to the tests already written in C. Most of the valid tests from C have been imported to Rust. File anatomy src/dcerpc.rs This file contains the implementation of single transactions in DCE/RPC over TCP. It takes care of REQUEST, RESPONSE, BIND and BINDACK business logic before and after the data parsing. DCERPCState holds the state corresponding to a particular transaction and handles all important aspects. It also defines any common structures and constants required for DCE/RPC parsing irrespective of the carrier protocol. src/dcerpc_udp.rs This file contains the implementation of single transactions in DCE/RPC over UDP. It takes care of REQUEST and RESPONSE parsing. It borrows the Request and Response structs from src/dcerpc.rs. src/detect.rs This file contains the implementation of dce_iface and opnum detect keywords. Both the parsing and the matching is taken care of by functions in this file. Tests have been rewritten with the test data from C. src/parser.rs This file contains all the nom parsers written for DCERPCRequest, DCERPCResponse, DCERPCBind, DCERPCBindAck, DCERPCHeader, DCERPCHdrUdp. It also implements functions to assemble and convert UUIDs. All the fields have their endianness defined unless its an 8bit field or an unusable one, then it's little endian but it won't make any difference. src/mod.rs This file contains all the modules of dcerpc folder which should be taken into account during compilation. Function calls This is a State-wise implementation of the protocol for single transaction only i.e. a valid state object is required to parse any record. Function calls start with the app layer parser in C which detects the application layer protocol to be DCE/RPC and calls the appropriate functions in C which in turn make a call to these functions in Rust using FFI. All the necessary information is passed from C to the parsers and handlers in Rust. Implementation When a batch of input comes in, there is an analysis of whether the input header and the direction is appropriate. Next check is about the size of fragment. If it is as defined by the header, process goes through else the data is buffered and more data is awaited. After this, type of record as indicated by the header is checked. A call to the appropriate handler is made. After the handling, State is updated with the latest information about whatever record came in. AppLayerResult::ok() is returned in case all went well else AppLayerResult::err() is returned indicating something went wrong. |
5 years ago | |
|---|---|---|
| .github | 5 years ago | |
| benches | ||
| contrib | 7 years ago | |
| doc | 5 years ago | |
| ebpf | 6 years ago | |
| etc | 6 years ago | |
| lua | 8 years ago | |
| m4 | ||
| python | 5 years ago | |
| qa | 6 years ago | |
| rules | 5 years ago | |
| rust | 5 years ago | |
| scripts | 6 years ago | |
| src | 5 years ago | |
| suricata-update | 6 years ago | |
| .gitignore | 6 years ago | |
| .travis.yml | 5 years ago | |
| COPYING | ||
| ChangeLog | 6 years ago | |
| LICENSE | ||
| Makefile.am | 6 years ago | |
| Makefile.cvs | ||
| README.md | 6 years ago | |
| acsite.m4 | 5 years ago | |
| appveyor.yml | 5 years ago | |
| autogen.sh | 8 years ago | |
| config.rpath | ||
| configure.ac | 5 years ago | |
| doxygen.cfg | 6 years ago | |
| suricata.yaml.in | 6 years ago | |
| threshold.config | 8 years ago | |
README.md
Suricata
Introduction
Suricata is a network IDS, IPS and NSM engine.
Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
User Guide
You can follow the Suricata user guide to get started.
Our deprecated (but still useful) user guide is also available.
Contributing
We're happily taking patches and other contributions. Please see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for how to get started.
Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences:
- in IPS mode a crash may knock a network offline;
- in passive mode a compromise of the IDS may lead to loss of critical and confidential data;
- missed detection may lead to undetected compromise of the network.
In other words, we think the stakes are pretty high, especially since in many common cases the IDS/IPS will be directly reachable by an attacker.
For this reason, we have developed a QA process that is quite extensive. A consequence is that contributing to Suricata can be a somewhat lengthy process.
On a high level, the steps are:
-
Travis-CI based build & unit testing. This runs automatically when a pull request is made.
-
Review by devs from the team and community
-
QA runs
Overview of Suricata's QA steps
Trusted devs and core team members are able to submit builds to our (semi) public Buildbot instance. It will run a series of build tests and a regression suite to confirm no existing features break.
The final QA run takes a few hours minimally, and is started by Victor. It currently runs:
- extensive build tests on different OS', compilers, optimization levels, configure features
- static code analysis using cppcheck, scan-build
- runtime code analysis using valgrind, DrMemory, AddressSanitizer, LeakSanitizer
- regression tests for past bugs
- output validation of logging
- unix socket testing
- pcap based fuzz testing using ASAN and LSAN
Next to these tests, based on the type of code change further tests can be run manually:
- traffic replay testing (multi-gigabit)
- large pcap collection processing (multi-terabytes)
- fuzz testing (might take multiple days or even weeks)
- pcap based performance testing
- live performance testing
- various other manual tests based on evaluation of the proposed changes
It's important to realize that almost all of the tests above are used as acceptance tests. If something fails, it's up to you to address this in your code.
One step of the QA is currently run post-merge. We submit builds to the Coverity Scan program. Due to limitations of this (free) service, we can submit once a day max. Of course it can happen that after the merge the community will find issues. For both cases we request you to help address the issues as they may come up.
FAQ
Q: Will you accept my PR?
A: That depends on a number of things, including the code quality. With new features it also depends on whether the team and/or the community think the feature is useful, how much it affects other code and features, the risk of performance regressions, etc.
Q: When will my PR be merged?
A: It depends, if it's a major feature or considered a high risk change, it will probably go into the next major version.
Q: Why was my PR closed?
A: As documented in the Suricata Github workflow here https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Github_work_flow, we expect a new pull request for every change.
Normally, the team (or community) will give feedback on a pull request after which it is expected to be replaced by an improved PR. So look at the comments. If you disagree with the comments we can still discuss them in the closed PR.
If the PR was closed without comments it's likely due to QA failure. If the Travis-CI check failed, the PR should be fixed right away. No need for a discussion about it, unless you believe the QA failure is incorrect.
Q: the compiler/code analyser/tool is wrong, what now?
A: To assist in the automation of the QA, we're not accepting warnings or errors to stay. In some cases this could mean that we add a suppression if the tool supports that (e.g. valgrind, DrMemory). Some warnings can be disabled. In some exceptional cases the only 'solution' is to refactor the code to work around a static code checker limitation false positive. While frustrating, we prefer this over leaving warnings in the output. Warnings tend to get ignored and then increase risk of hiding other warnings.
Q: I think your QA test is wrong
A: If you really think it is, we can discuss how to improve it. But don't come to this conclusion too quickly, more often it's the code that turns out to be wrong.
Q: do you require signing of a contributor license agreement?
A: Yes, we do this to keep the ownership of Suricata in one hand: the Open Information Security Foundation. See http://suricata-ids.org/about/open-source/ and http://suricata-ids.org/about/contribution-agreement/