Skip to content

Commit

Permalink
plugins: document app-layer plugins
Browse files Browse the repository at this point in the history 
Ticket: 7149
Ticket: 7150
Ticket: 7153
  • Loading branch information
@catenacyber
catenacyber committed Jan 17, 2025
1 parent 21b3109 commit 5c864b6
Showing 1 changed file with 46 additions and 2 deletions.
48 changes: 46 additions & 2 deletions doc/userguide/devguide/libsuricata/index.rst
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
.. _libsuricata:

LibSuricata
===========
LibSuricata and Plugins
=======================

Using Suricata as a Library
---------------------------
Expand All @@ -10,5 +10,49 @@ The ability to turn Suricata into a library that can be utilized in other tools
is currently a work in progress, tracked by Redmine Ticket #2693:
https://redmine.openinfosecfoundation.org/issues/2693.

Plugins
-------

A related work are Suricata plugins, also in progress and tracked by Redmine
Ticket #4101: https://redmine.openinfosecfoundation.org/issues/4101.

Plugins can be used by modifying suricata.yaml ``plugins`` section to include
the path of the dynamic library to load.

Plugins should export a ``SCPluginRegister`` function that will be the entry point
used by Suricata.

Application-layer plugins
~~~~~~~~~~~~~~~~~~~~~~~~~

Application layer plugins can be added as demonstrated by example
https://github.com/OISF/suricata/blob/master/examples/plugins/altemplate/

The plugin code contains the same files as an application layer in the source tree:
- alname.rs
- detect.rs
- lib.rs
- log.rs
- parser.rs

These files will have different ``use`` statements, targetting ``crate::suricata`` rather
than all the modules defined in Suricata itself.

And the plugin contains also additional files:
- plugin.rs : defines the entry point of the plugin ``SCPluginRegister``
- suricata.rs : something like a header-only definitions in Suricata needed by the plugin

``SCPluginRegister`` should register callback that should then call ``SCPluginRegisterAppLayer``
passing a ``SCAppLayerPlugin`` structure to suricata.

This ``SCAppLayerPlugin`` begins by a version number ``SC_PLUGIN_API_VERSION`` for compatibility
between Suricata and the plugin.

Known limitations are:
- Plugins can only use simple logging as defined by ``EveJsonSimpleTxLogFunc``
without suricata.yaml configuration, see https://github.com/OISF/suricata/pull/11160
- Keywords cannot use validate callbacks, see https://redmine.openinfosecfoundation.org/issues/5634
- Plugins cannot have keywords matching on mulitple protocols (like ja4),
see https://redmine.openinfosecfoundation.org/issues/7304

.. attention:: A pure rust pluging needs to be compiled with ``RUSTFLAGS=-Clink-args=-Wl,-undefined,dynamic_lookup``

0 comments on commit 5c864b6

Please sign in to comment.