Conversation
catenacyber
requested review from
a team,
jasonish,
jufajardini and
victorjulien
as code owners
Ticket: 3958
- transactions are now bidirectional
- there is a logger
- gap support is improved with probing for resync
- frames support
- app-layer events
- enip_command keyword accepts now string enumeration as values.
- add enip.status keyword
- add keywords :
enip.product_name, enip.protocol_version, enip.revision,
enip.identity_status, enip.state, enip.serial, enip.product_code,
enip.device_type, enip.vendor_id, enip.capabilities,
enip.cip_attribute, enip.cip_class, enip.cip_instance,
enip.cip_status, enip.cip_extendedstatus
catenacyber
force-pushed
the
enip-rust-3958-v17
branch
from
9aff27c to
2321978
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #10901 +/- ##
==========================================
+ Coverage 77.64% 82.17% +4.53%
==========================================
Files 922 941 +19
Lines 247806 250157 +2351
==========================================
+ Hits 192400 205570 +13170
+ Misses 55406 44587 -10819
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: ERROR: QA failed on SURI_TLPW2_autofp_suri_time. ERROR: QA failed on SURI_TLPW1_files_sha256. ERROR: QA failed on SURI_TLPR1_suri_time.
Pipeline 20220 |
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
Kudos on tackling keyword/log output parity :D
Not sure if possible, but wondering if we could have dedicated commits:
Maybe:
- one for docs
- one for logging and parsing (and schema?)
- one for detection
- one for new keywords added
- replacement of C code with rust code into an independent commit
- maybe one for unittests removal, just to keep the change contained?
Please ignore if this proposal doesn't make sense or would be too much work
I do not like separating doc commits from the code changes needing the documentation...
Already existing keywords must be done within the same commit as parsing goes from c to rust...
This is not independent : I add logging and parsing in rust, while moving away the C code...
Interesting. Why so ?
This can be work... not sure if it is relevant... |
Looking again, I can't see what made me make this comment, please ignore. >__<'
In general I see that we try to break changes into smaller commits, so that's where this comes from. But I don't have a super strong opinion about this, yet... |
victorjulien
left a comment
victorjulien
left a comment
There was a problem hiding this comment.
Some questions and feedback inline
| } | ||
|
|
||
| #[no_mangle] | ||
| pub unsafe extern "C" fn rs_enip_tx_has_cip_attribute( |
There was a problem hiding this comment.
Can you update all [no_mangle] functions to use the new naming style for FFI rust funcs?
There was a problem hiding this comment.
With python
f = open("diff.txt")
for l in f.readlines():
base = l[:-1]
trans1 = base.replace("rs_enip", "SCEnip")
trans = ""
state = 0
for c in trans1:
if c == '_':
state = 1
else:
if state == 1:
trans += c.upper()
state = 0
else:
trans += c
print("git grep %s | cut -d: -f1 | xargs sed -i -e 's/%s/%s/'" % (base, base, trans))| let input = stream_slice.as_slice(); | ||
| match parser::parse_enip_pdu(input) { | ||
| Ok((_, pdu)) => { | ||
| process_frames(&pdu, &stream_slice, flow, input); |
There was a problem hiding this comment.
we should create the frame regardless of the parser result
There was a problem hiding this comment.
Do you mean only for UDP ?
And which frame are you talking about ? There are many...
I think you want a frame pdu which is both the header and payload frame, right ?
There was a problem hiding this comment.
I added the standard Pdu frame...
And will do so for Websocket ;-)
| Ok(()) | ||
| } | ||
|
|
||
| fn enip_vendorid_string(p: u16) -> Option<&'static str> { |
There was a problem hiding this comment.
where does this list come from?
There was a problem hiding this comment.
There was a problem hiding this comment.
| } | ||
| } | ||
|
|
||
| fn enip_devicetype_string(p: u16) -> Option<&'static str> { |
There was a problem hiding this comment.
what is the source of this info?
There was a problem hiding this comment.
I bet on Wireshark
There was a problem hiding this comment.
|
Continued in #11174 |
4 participants
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3958
Describe changes:
Alon the way, also
#10850 with needed rebase
SV_BRANCH=OISF/suricata-verify#1666