Applayer plugin 5053 v11 #12471
Open
Applayer plugin 5053 v11 #12471
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
and use generic logger callback prototype with later cast and do some other small modifications so that the plugin has less diff
so that it can be used by plugins Avoid export by cbindgen as this constant is also defined in C
so that it can be used by plugins that want to call SCLogError and such
catenacyber
requested review from
jasonish,
jufajardini,
victorjulien and
a team
as code owners
jasonish
reviewed
Jan 24, 2025
Comment on lines
+31
to
+39
| // Struct definitions | ||
| #[repr(C)] | ||
| #[allow(non_snake_case)] | ||
| pub struct SCPlugin { | ||
| pub name: *const libc::c_char, | ||
| pub license: *const libc::c_char, | ||
| pub author: *const libc::c_char, | ||
| pub Init: extern "C" fn(), | ||
| } |
There was a problem hiding this comment.
This is a good example of a data structure that should remain in C, and be provided to Rust via bindgen instead of continuing the pattern of creating C data structure in Rust for the convenience of write once.
jasonish
reviewed
Jan 24, 2025
| @@ -83,7 +83,7 @@ extern crate suricata_derive; | |||
| pub mod core; | |||
|
|
|||
| #[macro_use] | |||
| pub(crate) mod debug; | |||
| pub mod debug; | |||
There was a problem hiding this comment.
I broke out the fixes from my previous PR to expose SCPlugin to Rust to just a minimal one to fix logging from plugins:
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12471 +/- ##
==========================================
+ Coverage 80.52% 80.55% +0.02%
==========================================
Files 923 923
Lines 259176 259543 +367
==========================================
+ Hits 208708 209067 +359
- Misses 50468 50476 +8
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24348 |
With the recent refactor, the log level as seen by plugins was not being updated when being set through the C interface, so just set it directly upon plugin initialization.
so that they can be used by rust plugins
Ticket: 7151 Ticket: 7152 Ticket: 7154
Ticket: 7149 Ticket: 7150 Ticket: 7153
catenacyber
force-pushed
the
applayer-plugin-5053-v11
branch
from
d08fb5c to
b35cd6d
Compare
jufajardini
requested changes
Jan 31, 2025
| - log.rs | ||
| - parser.rs | ||
|
|
||
| These files will have different ``use`` statements, targetting the suricata crate. |
There was a problem hiding this comment.
Suggested change
| These files will have different ``use`` statements, targetting the suricata crate. | |
| These files will have different ``use`` statements, targeting the suricata crate. |
| - plugin.rs : defines the entry point of the plugin ``SCPluginRegister`` | ||
|
|
||
| ``SCPluginRegister`` should register callback that should then call ``SCPluginRegisterAppLayer`` | ||
| passing a ``SCAppLayerPlugin`` structure to suricata. |
There was a problem hiding this comment.
Nit
Suggested change
| passing a ``SCAppLayerPlugin`` structure to suricata. | |
| passing a ``SCAppLayerPlugin`` structure to Suricata. |
| - Plugins can only use simple logging as defined by ``EveJsonSimpleTxLogFunc`` | ||
| without suricata.yaml configuration, see https://github.com/OISF/suricata/pull/11160 | ||
| - Keywords cannot use validate callbacks, see https://redmine.openinfosecfoundation.org/issues/5634 | ||
| - Plugins cannot have keywords matching on mulitple protocols (like ja4), |
There was a problem hiding this comment.
Suggested change
| - Plugins cannot have keywords matching on mulitple protocols (like ja4), | |
| - Plugins cannot have keywords matching on multiple protocols (like ja4), |
| A related work are Suricata plugins, also in progress and tracked by Redmine | ||
| Ticket #4101: https://redmine.openinfosecfoundation.org/issues/4101. | ||
|
|
||
| Plugins can be used by modifying suricata.yaml ``plugins`` section to include |
There was a problem hiding this comment.
nit:
Suggested change
| Plugins can be used by modifying suricata.yaml ``plugins`` section to include | |
| Plugins can be used by modifying the suricata.yaml ``plugins`` section to include |
Comment on lines
+32
to
+36
| - alname.rs | ||
| - detect.rs | ||
| - lib.rs | ||
| - log.rs | ||
| - parser.rs |
There was a problem hiding this comment.
Would it make sense to add oneliner descriptions for each file?
| The solution is to go through the ``JsonBuilder`` C API which uses an opaque pointer. | ||
|
|
||
| And the plugin contains also additional files: | ||
| - plugin.rs : defines the entry point of the plugin ``SCPluginRegister`` |
There was a problem hiding this comment.
same here
Suggested change
| - plugin.rs : defines the entry point of the plugin ``SCPluginRegister`` | |
| - plugin.rs : defines the entry point of the plugin -- ``SCPluginRegister`` |
| And the plugin contains also additional files: | ||
| - plugin.rs : defines the entry point of the plugin ``SCPluginRegister`` | ||
|
|
||
| ``SCPluginRegister`` should register callback that should then call ``SCPluginRegisterAppLayer`` |
There was a problem hiding this comment.
Suggested change
| ``SCPluginRegister`` should register callback that should then call ``SCPluginRegisterAppLayer`` | |
| ``SCPluginRegister`` should register a callback that should then call ``SCPluginRegisterAppLayer`` |
Comment on lines
+51
to
+54
| It should also call ``suricata::plugin::init();`` to ensure the plugin has initialized | ||
| its value of the Suricata Context, a structure needed by rust, to call some C functions, | ||
| that cannot be found at compile time because of circular dependencies, and are therefore | ||
| resolved at runtime. |
There was a problem hiding this comment.
Suggest a minor changes (if I understand this portion correctly)
Suggested change
| It should also call ``suricata::plugin::init();`` to ensure the plugin has initialized | |
| its value of the Suricata Context, a structure needed by rust, to call some C functions, | |
| that cannot be found at compile time because of circular dependencies, and are therefore | |
| resolved at runtime. | |
| It should also call ``suricata::plugin::init();`` to ensure the plugin has initialized | |
| its value of the Suricata Context. This is a structure needed by rust to call some C functions | |
| that cannot be found at compile time because of circular dependencies and are therefore | |
| resolved at runtime. |
| .. attention:: A pure rust plugin needs to be compiled with ``RUSTFLAGS=-Clink-args=-Wl,-undefined,dynamic_lookup`` | ||
|
|
||
| This is because the plugin will link dynamically at runtime the functions defined in Suricata runtime. | ||
| You can define this rust flags in a ``.cargo/config.toml`` file. |
There was a problem hiding this comment.
Suggested change
| You can define this rust flags in a ``.cargo/config.toml`` file. | |
| You can define these rust flags in a ``.cargo/config.toml`` file. |
| that cannot be found at compile time because of circular dependencies, and are therefore | ||
| resolved at runtime. | ||
|
|
||
| This ``SCAppLayerPlugin`` begins by a version number ``SC_PLUGIN_API_VERSION`` for runtime compatibility |
There was a problem hiding this comment.
Nit:
Suggested change
| This ``SCAppLayerPlugin`` begins by a version number ``SC_PLUGIN_API_VERSION`` for runtime compatibility | |
| The ``SCAppLayerPlugin`` begins by a version number ``SC_PLUGIN_API_VERSION`` for runtime compatibility |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/4102 with all 6 subtickets
Describe changes:
@jufajardini what do you think about the doc ?
#12467 rebased to get green CI
There are also #12470 and #12466 which will require a rebase of this PR if they get merged first (or the other way around)
cc @jasonish