From 609ad8fef6e603f07df32863cf49a30a5fddaf76 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 21 Jan 2025 15:43:14 +0100 Subject: [PATCH] WIP: suricata-plugin crate --- configure.ac | 2 +- examples/plugins/altemplate/Cargo.toml | 1 + examples/plugins/altemplate/src/detect.rs | 2 +- examples/plugins/altemplate/src/plugin.rs | 5 ++- examples/plugins/altemplate/src/suricata.rs | 26 ++------------- examples/plugins/altemplate/src/template.rs | 14 +++++---- rust/Cargo.toml.in | 2 +- rust/Makefile.am | 3 +- rust/plugin/Cargo.toml.in | 9 ++++++ rust/plugin/src/lib.rs | 35 +++++++++++++++++++++ rust/src/detect/mod.rs | 6 ++-- 11 files changed, 68 insertions(+), 37 deletions(-) create mode 100644 rust/plugin/Cargo.toml.in create mode 100644 rust/plugin/src/lib.rs diff --git a/configure.ac b/configure.ac index ca964d9039a0..ede100c29249 100644 --- a/configure.ac +++ b/configure.ac @@ -2515,7 +2515,7 @@ AC_SUBST(enable_non_bundled_htp) AM_CONDITIONAL([BUILD_SHARED_LIBRARY], [test "x$enable_shared" = "xyes"] && [test "x$can_build_shared_library" = "xyes"]) -AC_CONFIG_FILES(Makefile src/Makefile rust/Makefile rust/Cargo.lock rust/Cargo.toml rust/derive/Cargo.toml rust/.cargo/config.toml) +AC_CONFIG_FILES(Makefile src/Makefile rust/Makefile rust/Cargo.lock rust/Cargo.toml rust/derive/Cargo.toml rust/plugin/Cargo.toml rust/.cargo/config.toml) AC_CONFIG_FILES(qa/Makefile qa/coccinelle/Makefile) AC_CONFIG_FILES(rules/Makefile doc/Makefile doc/userguide/Makefile) AC_CONFIG_FILES(contrib/Makefile contrib/file_processor/Makefile contrib/file_processor/Action/Makefile contrib/file_processor/Processor/Makefile) diff --git a/examples/plugins/altemplate/Cargo.toml b/examples/plugins/altemplate/Cargo.toml index 349d32417b84..f72c743f8e3b 100644 --- a/examples/plugins/altemplate/Cargo.toml +++ b/examples/plugins/altemplate/Cargo.toml @@ -9,6 +9,7 @@ crate-type = ["cdylib"] [dependencies] nom7 = { version="7.0", package="nom" } libc = "~0.2.82" +suricata-plugin = { path = "../../../rust/plugin" } [features] default = ["suricata8"] diff --git a/examples/plugins/altemplate/src/detect.rs b/examples/plugins/altemplate/src/detect.rs index 48c9f31de60c..bcd89cff0d55 100644 --- a/examples/plugins/altemplate/src/detect.rs +++ b/examples/plugins/altemplate/src/detect.rs @@ -23,10 +23,10 @@ use crate::suricata::{ cast_pointer, DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, Direction, SCSigTableElmt, - SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, }; use crate::template::{TemplateTransaction, ALPROTO_TEMPLATE}; use std::os::raw::{c_int, c_void}; +use suricata_plugin::{SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT}; static mut G_TEMPLATE_BUFFER_BUFFER_ID: c_int = 0; diff --git a/examples/plugins/altemplate/src/plugin.rs b/examples/plugins/altemplate/src/plugin.rs index e7837e945ac9..7e47b20992cb 100644 --- a/examples/plugins/altemplate/src/plugin.rs +++ b/examples/plugins/altemplate/src/plugin.rs @@ -17,7 +17,10 @@ extern "C" fn altemplate_plugin_init() { }; unsafe { if SCPluginRegisterAppLayer(Box::into_raw(Box::new(plugin))) != 0 { - SCLog!(suricata::Level::Error, "Failed to register altemplate plugin"); + SCLog!( + suricata::Level::Error, + "Failed to register altemplate plugin" + ); } } } diff --git a/examples/plugins/altemplate/src/suricata.rs b/examples/plugins/altemplate/src/suricata.rs index 366cb01bc221..2a66fcb0c02a 100644 --- a/examples/plugins/altemplate/src/suricata.rs +++ b/examples/plugins/altemplate/src/suricata.rs @@ -4,25 +4,7 @@ use std::ffi::{CStr, CString}; use std::os::raw::{c_char, c_int, c_void}; -// Type definitions -pub type AppProto = u16; -pub type AppLayerEventType = c_int; - -// Constant definitions -pub const ALPROTO_UNKNOWN: AppProto = 0; - -pub const IPPROTO_TCP: u8 = 6; - -pub const APP_LAYER_PARSER_OPT_ACCEPT_GAPS: u32 = 0x00000001; - -pub const APP_LAYER_PARSER_EOF_TC: u16 = 0x0040; -pub const APP_LAYER_PARSER_EOF_TS: u16 = 0x0020; - -pub const APP_LAYER_EVENT_TYPE_TRANSACTION: i32 = 1; - -pub const SIGMATCH_NOOPT: u16 = 1; -pub const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; - +use suricata_plugin::AppProto; //pub const STREAM_TOCLIENT: u8 = 0x08; // Opaque definitions @@ -215,10 +197,8 @@ pub type StateTxFreeFn = unsafe extern "C" fn(*mut c_void, u64); pub type StateGetTxFn = unsafe extern "C" fn(*mut c_void, u64) -> *mut c_void; pub type StateGetTxCntFn = unsafe extern "C" fn(*mut c_void) -> u64; pub type StateGetProgressFn = unsafe extern "C" fn(*mut c_void, u8) -> c_int; -pub type GetEventInfoFn = - unsafe extern "C" fn(*const c_char, *mut c_int, *mut AppLayerEventType) -> c_int; -pub type GetEventInfoByIdFn = - unsafe extern "C" fn(c_int, *mut *const c_char, *mut AppLayerEventType) -> i8; +pub type GetEventInfoFn = unsafe extern "C" fn(*const c_char, *mut c_int, *mut c_int) -> c_int; +pub type GetEventInfoByIdFn = unsafe extern "C" fn(c_int, *mut *const c_char, *mut c_int) -> i8; pub type LocalStorageNewFn = extern "C" fn() -> *mut c_void; pub type LocalStorageFreeFn = extern "C" fn(*mut c_void); pub type GetTxFilesFn = unsafe extern "C" fn(*mut c_void, *mut c_void, u8) -> AppLayerGetFileState; diff --git a/examples/plugins/altemplate/src/template.rs b/examples/plugins/altemplate/src/template.rs index 8182bdcf08a2..76bd5030361a 100644 --- a/examples/plugins/altemplate/src/template.rs +++ b/examples/plugins/altemplate/src/template.rs @@ -28,16 +28,18 @@ use crate::suricata::{ build_slice, cast_pointer, conf_get, AppLayerGetTxIterTuple, AppLayerParserConfParserEnabled, AppLayerParserRegisterLogger, AppLayerParserStateIssetFlag, AppLayerProtoDetectConfProtoDetectionEnabled, AppLayerRegisterParser, - AppLayerRegisterProtocolDetection, AppLayerResult, AppLayerStateData, AppLayerTxData, AppProto, - Flow, Level, RustParser, SCLogError, SCLogNotice, StreamSlice, ALPROTO_UNKNOWN, - APP_LAYER_EVENT_TYPE_TRANSACTION, APP_LAYER_PARSER_EOF_TC, APP_LAYER_PARSER_EOF_TS, - APP_LAYER_PARSER_OPT_ACCEPT_GAPS, IPPROTO_TCP, + AppLayerRegisterProtocolDetection, AppLayerResult, AppLayerStateData, AppLayerTxData, Flow, + Level, RustParser, SCLogError, SCLogNotice, StreamSlice, }; use nom7 as nom; use std; use std::collections::VecDeque; use std::ffi::{CStr, CString}; use std::os::raw::{c_char, c_int, c_void}; +use suricata_plugin::{ + AppProto, ALPROTO_UNKNOWN, APP_LAYER_EVENT_TYPE_TRANSACTION, APP_LAYER_PARSER_EOF_TC, + APP_LAYER_PARSER_EOF_TS, APP_LAYER_PARSER_OPT_ACCEPT_GAPS, IPPROTO_TCP, +}; static mut TEMPLATE_MAX_TX: usize = 256; @@ -91,7 +93,7 @@ impl TemplateEvent { return -1; } }; - *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION as std::os::raw::c_int; *event_id = event as std::os::raw::c_int; 0 } @@ -102,7 +104,7 @@ impl TemplateEvent { ) -> i8 { if let Some(e) = TemplateEvent::from_id(event_id) { *event_name = e.to_cstring().as_ptr() as *const std::os::raw::c_char; - *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION as std::os::raw::c_int; return 0; } -1 diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in index 8fad5fee77e3..aa9129dc8095 100644 --- a/rust/Cargo.toml.in +++ b/rust/Cargo.toml.in @@ -7,7 +7,7 @@ edition = "2021" rust-version = "1.67.1" [workspace] -members = [".", "./derive"] +members = [".", "./derive", "./plugin"] [lib] crate-type = ["staticlib", "rlib"] diff --git a/rust/Makefile.am b/rust/Makefile.am index d53eb97090e1..2120db83e1cc 100644 --- a/rust/Makefile.am +++ b/rust/Makefile.am @@ -1,9 +1,10 @@ -EXTRA_DIST = src derive \ +EXTRA_DIST = src derive plugin \ .cargo/config.toml.in \ cbindgen.toml \ dist/rust-bindings.h \ vendor \ Cargo.toml Cargo.lock \ + plugin/Cargo.toml \ derive/Cargo.toml if !DEBUG diff --git a/rust/plugin/Cargo.toml.in b/rust/plugin/Cargo.toml.in new file mode 100644 index 000000000000..7b2e1a4974e2 --- /dev/null +++ b/rust/plugin/Cargo.toml.in @@ -0,0 +1,9 @@ +[package] +name = "suricata-plugin" +version = "@PACKAGE_VERSION@" +license = "GPL-2.0-only" +description = "Re-exports for Suricata plugins" +edition = "2021" + +[dependencies] +suricata = { path = "../", version = "@PACKAGE_VERSION@" } diff --git a/rust/plugin/src/lib.rs b/rust/plugin/src/lib.rs new file mode 100644 index 000000000000..e7cb389aea1b --- /dev/null +++ b/rust/plugin/src/lib.rs @@ -0,0 +1,35 @@ +/* Copyright (C) 2020-2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + + use suricata::*; + +// Type definitions +pub type AppProto = core::AppProto; +pub type AppLayerEventType = core::AppLayerEventType; + +// Constant definitions +pub const ALPROTO_UNKNOWN: AppProto = core::ALPROTO_UNKNOWN; +pub const IPPROTO_TCP : u8 = core::IPPROTO_TCP; + +pub const APP_LAYER_PARSER_OPT_ACCEPT_GAPS : u32 = applayer::APP_LAYER_PARSER_OPT_ACCEPT_GAPS; +pub const APP_LAYER_PARSER_EOF_TC : u16 = applayer::APP_LAYER_PARSER_EOF_TC; +pub const APP_LAYER_PARSER_EOF_TS : u16 = applayer::APP_LAYER_PARSER_EOF_TS; + +pub const APP_LAYER_EVENT_TYPE_TRANSACTION : AppLayerEventType = AppLayerEventType::APP_LAYER_EVENT_TYPE_TRANSACTION; + +pub const SIGMATCH_NOOPT: u16 = detect::SIGMATCH_NOOPT; +pub const SIGMATCH_INFO_STICKY_BUFFER: u16 = detect::SIGMATCH_INFO_STICKY_BUFFER; \ No newline at end of file diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index c00f0dfdeb18..de82a1559d91 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -76,9 +76,9 @@ pub struct SCSigTableElmt { >, } -pub(crate) const SIGMATCH_NOOPT: u16 = 1; // BIT_U16(0) in detect.h -pub(crate) const SIGMATCH_QUOTES_MANDATORY: u16 = 0x40; // BIT_U16(6) in detect.h -pub(crate) const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9) +pub const SIGMATCH_NOOPT: u16 = 1; // BIT_U16(0) in detect.h +pub const SIGMATCH_QUOTES_MANDATORY: u16 = 0x40; // BIT_U16(6) in detect.h +pub const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9) /// cbindgen:ignore extern {